DCL commands are used to enforce database security in a multiple user database environment.

Two types of DCL commands are GRANT and REVOTE. Only Database Administrator's or owner's of the database object can provide/remove privileges on a databse object.

SQL GRANT Command

SQL GRANT is a command used to provide access or privileges on the database objects to the users. The Syntax for the GRANT command is:

GRANT ON TO {user_name |PUBLIC [WITH GRANT OPTION];

privilege_name object_name |role_name}

y y y y y y y

privilege_name is the access right or privilege granted to the user. Some of the access rights are ALL, EXECUTE, and SELECT. object_name is the name of an database object like TABLE, VIEW, STORED PROC and SEQUENCE. user_name is the name of the user to whom an access right is being granted. user_name is the name of the user to whom an access right is being granted. PUBLIC is used to grant access rights to all users. ROLES are a set of privileges grouped together. WITH GRANT OPTION - allows a user to grant access rights to other users. For Eample: GRANT SELECT ON employee TO user1;This command grants a SELECT permission on employee table to user1.You should use the WITH GRANT option carefully because for example if you GRANT SELECT privilege on employee table to user1 using the WITH GRANT option, then user1 can GRANT SELECT privilege on employee table to another user, such as user2 etc. Later, if you REVOKE the SELECT privilege on employee from user1, still user2 will have SELECT privilege on employee table.

SQL REVOKE Command:

The REVOKE command removes user access rights or privileges to the database objects. The Syntax for the REVOKE command is:

REVOKE ON FROM {user_name |PUBLIC |role_name}

privilege_name object_name

For Eample: REVOKE SELECT ON employee FROM user1;This commmand will REVOKE a SELECT privilege on employee table from user1.When you REVOKE SELECT privilege on a table from a user, the user will not be able to SELECT data from that table anymore. However, if the user has received SELECT privileges on that table from more than one users, he/she can SELECT from that table until everyone who granted the permission revokes it. You cannot REVOKE privileges if they were not initially granted by you.

Privileges and Roles:

Privileges: Privileges defines the access rights provided to a user on a database object. There are two types of privileges. 1) System privileges - This allows the user to CREATE, ALTER, or DROP database objects. 2) Object privileges - This allows the user to EXECUTE, SELECT, INSERT, UPDATE, or DELETE data from database objects to which the privileges apply. Few CREATE system privileges are listed below: System Privileges CREATE object CREATE ANY object

Description allows users to create the specified object in their own schema. allows users to create the specified object in any schema.

The above rules also apply for ALTER and DROP system privileges. Few of the object privileges are listed below: Object Privileges INSERT SELECT UPDATE EXECUTE

Description allows users to insert rows into a table. allows users to select data from a database object. allows user to update data in a table. allows user to execute a stored procedure or a function.

Roles: Roles are a collection of privileges or access rights. When there are many users in a database it becomes difficult to grant or revoke privileges to users. Therefore, if you define roles, you can grant or revoke privileges to users, thereby automatically granting or revoking privileges. You can either create Roles or use the system roles pre-defined by oracle. Some of the privileges granted to the system roles are as given below: System Role CREATE CONNECT SYNONYM, SESSION etc. CREATE RESOURCE CREATE PROCEDURE, TABLE, CREATE CREATE SEQUENCE, etc. The

Privileges Granted to the Role TABLE, CREATE VIEW, CREATE CREATE

CREATE

SEQUENCE,

TRIGGER

primary usage of the RESOURCE role is to restrict access to database objects.

DBA

ALL SYSTEM PRIVILEGES

Creating Roles:
The Syntax to create a role is:

CREATE [IDENTIFIED BY password];

ROLE

role_name

For example: To create a role called "developer" with password as "pwd",the code will be as follows

CREATE [IDENTIFIED BY pwd];

ROLE

testing

It's easier to GRANT or REVOKE privileges to the users through a role rather than assigning a privilege direclty to every user. If a role is identified by a password, then, when you GRANT or REVOKE privileges to the role, you definetely have to identify it with the password. We can GRANT or REVOKE privilege to a role as below. For example: To grant CREATE TABLE privilege to a user by creating a testing role: First, create a testing Role

CREATE ROLE testing

Second, grant a CREATE TABLE privilege to the ROLE testing. You can add more privileges to the ROLE.

GRANT CREATE TABLE TO testing;

Third, grant the role to a user.

GRANT testing TO user1;

To revoke a CREATE TABLE privilege from testing ROLE, you can write:

REVOKE CREATE TABLE FROM testing;

The Syntax to drop a role from the database is as below:

DROP ROLE role_name;

For example: To drop a role called developer, you can write:

DROP ROLE testing;

Example's database definition

The database handles a single catalog of audio CDs. It consists from two tables called 'album' and 'song'.

Definition of the table 'album' This table holds information about audio CDs, as there is one album on one audio CD. Attribute data type

Attribute name

Comment

id name interpreter notes released

INTEGER VARCHAR(80) VARCHAR(80) LONG VARCHAR DATE

Primary key A name of the album A name of the album's interpreter Any notes about the album The date the album has been released on

Definition of the table 'song' This table holds information about songs on albums. Attribute data type INTEGER INTEGER VARCHAR(80) LONG VARCHAR TIME

Attribute name id album name notes length

Comment Primary key Foreign key into the table 'album' A name of the song Any notes about the song Song's length

The SELECT statement

Example #1 Select all albums of Elvis Presley and sort them descending by the date of release. SELECT * FROM album WHERE interpreter = 'Elvis Presley' SORT BY released DESC

Example #2 Select name and notes of album where the 'Only You' song is recorded and performed by Elvis Presley. SELECT a.name, a.notes FROM album a, song s WHERE s.name = 'Only You' AND s.album = a.id AND a.interpreter = 'Elvis Presley'

Example #3 Select all songs at which the name begins with 'Th' SELECT * FROM song WHERE name LIKE 'Th%'

Example #4 Select all notes of albums, which don't begin with '50%'. SELECT notes FROM album WHERE note NOT LIKE '%50@%%' ESCAPE '@'

Example #5 Select minimum, average and maximum lengths of songs of each of interpreters where the song length is not between 2:00 and 2:40 minutes. SELECT a.interpreter, MIN(s.length) as 'Minimum', MAX(s.length) as 'Maximum', AVG(s.length) as 'Average' FROM album a, song s GROUP BY interpreter HAVING length BETWEEN 0:2:00 AND 0:2:40 Note that text format of time generally depends on locale settings.

Example #6 Select all dates when any album has been released and handle cases of not entered values. SELECT DISTINCT NVL(released, 'Not all dates were entered!') FROM album

Top of the page

The INSERT statement

Example #7 Insert new album of Elvis Presley and by filling only id, interpreter and name. INSERT INTO album (id, interpreter, name) VALUES (1, 'Elvis Presley', 'Love Me Tender')

Example #8 Insert the song 'Are you lonesome tonight?' for this album and fill all attributes.

INSERT INTO song VALUES (1, 1, 'Are you lonesome tonight?', 'My almost most favorite song', 0:3:06) Note that text format of time generally depends on your locale settings.

Top of the page

The UPDATE statement

Example #9 There are some albums where the interpreter is 'Elvis'. Correct it to 'Elvis Presley'. UPDATE album SET interpreter = 'Elvis Presley' WHERE interpreter = 'Elvis'

Top of the page

The DELETE statement

Example #10 There is the song 'Bad Medicine' in the table 'song' and belongs, in this database, to the album 'Top Ten Hits' by Elvis Presley, but this song is by Bon Jovi and there is no their album in the table 'album'. Delete this song. DELETE FROM song WHERE name = 'Bad Medicine'

Top of the page

The CREATE statement

Example #11 Create the tables 'album' and 'song'. CREATE TABLE album (id INTEGER PRIMARY KEY, name VARCHAR(80), interpreter VARCHAR(80),

notes LONG VARCHAR, released DATE) CREATE TABLE song (id INTEGER PRIMARY KEY, album INTEGER NOT NULL, name VARCHAR(80), notes LONG VARCHAR, length TIME, CONSTRAINT albumkey FOREIGN KEY (album) REFERENCES album(id)) Note that the (album) is the 'song' table's attribute, while the album(id) means the attribute 'id' of the 'album' table.

Example #12 Create a view containing only albums of Elvis Presley. CREATE VIEW ElvisAlbums AS SELECT * FROM album WHERE interpreter = 'Elvis Presley'

Top of the page

The ALTER statement

Example #13 There is a name of CD manufacturer on each CD. Add this attribute into the table 'album'. ALTER TABLE album ADD manufacturer VARCHAR(50)

Example #14 Because the name of manufacturer is useless, delete this attribute from the example #13. ALTER TABLE album DROP manufacturer

Top of the page

The DROP statement

Example #15

You are closing the whole CD catalog. Delete both tables. DROP TABLE song DROP TABLE album Note that the table 'song' must be delete first because it contains reference to the second table.

Top of the page

The GRANT and REVOKE statements

Example #16 As you may noticed, the CD catalog mainly contains albums of the rock'n'roll king Elvis Presley. He, as the king, should have adequate rights. Give them to him; his user name is Elvis. GRANT SELECT, INSERT, UPDATE, DELETE ON album, song TO Elvis WITH ADMIN OPTION

Example #17 Because the database may be accessed by a wide public, grant them only the SELECT statement. REVOKE INSERT, UPDATE, DELETE ON album, song TO PUBLIC

Example #18 Create a group of users, which can add and modify records, but not delete them. CREATE ROLE editors GRANT SELECT, INSERT UPDATE ON album, song TO editors

Example #19 You have got new guy in your team and you want to authorize him to delete records. His user name is JBlack. Take an advantage of the example #18. GRANT editors, DELETE ON album, song TO JBlack

Example #20 Once again you are alone to maintain the CD catalog, because all your co-workers are gone. Only the editors role is left and useless. Delete it. DROP ROLE editors

Top of the page

Stored procedures
Example #21 There is a procedure named GetAlbum that returns the value of the attribute 'id' of the table 'album' for a record represented by interpreter and album name. Get the primary key for the 'Top Ten Hits' album by Elvis Presley. {CALL GetAlbum('Elvis Presley', 'Top Ten Hits')} Note that the result will be displayed and then discarded.

Top of the page

Transactions
Example #22 You are gonna to give the album 'Greatest Hits' by Roxette to your best friend as a birthday present. Delete all songs for this album and it itself from the catalog. Use the procedure from the example #21. Here you have to start the transaction with taken of specific features of your DBMS. DELETE FROM song WHERE album = GetAlbum('Roxette', 'Greatest Hits') DELETE FROM album WHERE id = GetAlbum('Roxette', 'Greatest Hits')

Set operators (UNION, UNION

ALL, MINUS, INTERSECT) [SQL]

select col_1, col_2, col_3, ... col_n from table_1 set operator select col_1, col_2, col_3, ... col_n from table_2 set operator ... ... select col_1, col_2, col_3, ... col_n from table_n;
The four set operators union, union all, intersect and minus allow to serially combine more than one select statements. Although more than one select statement will then be present, only one result set is then returned. If the select statements vary in their numbers of returned columns, Oracle report an ORA-01789: query block has incorrect number of result columns. For the demonstration of set operators, the following test tables are created:

create table table_1 ( col_1 col_2 col_3 ); number, varchar2(10), date

create table table_2 ( col_1 col_2 col_3 );

Then, a few values are inserted:

number, varchar2(10), date

alter session set nls_date_format='dd.mm.yyyy';

insert into table_1 values (

3, 'hello' ,

to_date('28.08.1970')); insert into table_1 values ( 42, 'galaxy', to_date('01.01.2001')); insert into table_1 values (100, 'bye' to_date('09.02.2004')); ,

insert into table_2 values ( to_date('28.08.1970'));

3, 'bye'

insert into table_2 values ( 42, 'galaxy', to_date('01.01.2001')); insert into table_2 values ( 60, 'bye' to_date('09.02.2004')); insert into table_2 values ( to_date('05.05.2002')); ,

3, 'hello' ,

union all
union all selects all rows from all select statements: select col_1, col_2, col_3 from table_1 union all select col_1, col_2, col_3 from table_2;
As can be seen, all records of both tables are returned:

COL_1 COL_2

COL_3

---------- ---------- ---------3 hello 42 galaxy 100 bye 3 bye 42 galaxy 60 bye 3 hello 28.08.1970 01.01.2001 09.02.2004 28.08.1970 01.01.2001 09.02.2004 05.05.2002

union
union all is very similar to union, however, it dismisses
duplicate rows found across different select statements:

select col_1, col_2, col_3 from table_1 union select col_1, col_2, col_3 from table_2;
The galaxy record is a duplicate. Hence, it is returned only once:

COL_1 COL_2

COL_3

---------- ---------- ---------3 bye 3 hello 3 hello 42 galaxy 60 bye 100 bye 28.08.1970 28.08.1970 05.05.2002 01.01.2001 09.02.2004 09.02.2004

intersect
intersect only returns the rows that are found in all select
statements:

select col_1, col_2, col_3 from table_1 intersect select col_1, col_2, col_3 from table_2;
Only the galaxy record is returned. It's the only record that is stored in both tables:

COL_1 COL_2

COL_3

---------- ---------- ---------42 galaxy 01.01.2001

minus
minus returns all rows from the first select statements except
those who are duplicated in a following select statement:

select col_1, col_2, col_3 from table_1 minus select col_1, col_2, col_3 from table_2;
As the galaxy record is found in both tables, it is removed from the first table's record set:

COL_1 COL_2

COL_3

---------- ---------- ---------3 hello 28.08.1970

Difference:
Exclude rows common to both tables. Which records in TABLE_A do not share A_KEY in TABLE_B?
select * from TABLE_A where A_KEY not in (select A_KEY from TABLE_B)

With the SQL-92 Standards keyword 'EXCEPT' Follow the same rules as the keyword 'UNION'
select * from TABLE_A EXCEPT select * from TABLE_B also seen as: select * from TABLE_A MINUS select * from TABLE_B

Division:
Find items in one set that are related to all of the items in another set. In a many-to-many relationship there are three tables, A, B, C with C as the table representing the many-to-many key pairs of A and B. For simple division: What are the 'A_KEY's to which all 'B_KEY's belong?
select distinct A_KEY from TABLE_C C where not exists ( select B_KEY from TABLE_B B where not exists ( select * from TABLE_C CC where A.A_KEY = CC.A_KEY and B.B_KEY = CC.B_KEY ))

Partition:
What are the records of 'TABLE_A' that have the top ten values of 'ATTRIBUTE'?
select * from TABLE_A A, TABLE_A B where A.ATTRIBUTE <= B.ATTRIBUTE group by KEY, ATTRIBUTE having count(*) <= 10 order by ATTRIBUTE

Or another SQL hack at partition:

select * from TABLE_A A where 10 >= (select count(*) from TABLE_A B where B.ATTRIBUTE >= A.ATTRIBUTE)

Intersection:
The intersection of two sets. What are the records of 'TABLE_A' that share a 'KEY' with records of 'TABLE_B'?
select * from TABLE_A where TABLE_A.KEY in (select TABLE_B.KEY from TABLE_B)

Or if 'intersect' is implemented it follows the same rules as 'union.'

select distinct * from depositor intersect select distinct * from borrower