GRANT - PolarDB - Alibaba Cloud Documentation Center

Defines access privileges.

Syntax

GRANT { { SELECT | INSERT | UPDATE | DELETE | REFERENCES }
  [,...] | ALL [ PRIVILEGES ] }
  ON tablename
  TO { username | groupname | PUBLIC } [, ...]
  [ WITH GRANT OPTION ]

GRANT { { INSERT | UPDATE | REFERENCES } (column [, ...]) }
  [, ...]
  ON tablename
  TO { username | groupname | PUBLIC } [, ...]
  [ WITH GRANT OPTION ]

GRANT { SELECT | ALL [ PRIVILEGES ] }
  ON sequencename
  TO { username | groupname | PUBLIC } [, ...]
  [ WITH GRANT OPTION ]

GRANT { EXECUTE | ALL [ PRIVILEGES ] }
  ON FUNCTION progname
    ( [ [ argmode ] [ argname ] argtype ] [, ...] )
  TO { username | groupname | PUBLIC } [, ...]
  [ WITH GRANT OPTION ]

GRANT { EXECUTE | ALL [ PRIVILEGES ] }
  ON PROCEDURE progname
    [ ( [ [ argmode ] [ argname ] argtype ] [, ...] ) ]
  TO { username | groupname | PUBLIC } [, ...]
  [ WITH GRANT OPTION ]

GRANT { EXECUTE | ALL [ PRIVILEGES ] }
  ON PACKAGE packagename
  TO { username | groupname | PUBLIC } [, ...]
  [ WITH GRANT OPTION ]

GRANT role [, ...]
  TO { username | groupname | PUBLIC } [, ...]
  [ WITH ADMIN OPTION ]

GRANT { CONNECT | RESOURCE | DBA } [, ...]
  TO { username | groupname } [, ...]
  [ WITH ADMIN OPTION ]

GRANT CREATE [ PUBLIC ] DATABASE LINK
  TO { username | groupname }

GRANT DROP PUBLIC DATABASE LINK
  TO { username | groupname }

GRANT EXEMPT ACCESS POLICY
  TO { username | groupname }

Description

The GRANT command has three basic variants: the one that grants privileges on a database object (table, view, sequence, or program), the one that grants membership in a role, and the one that grants system privileges. These variants are similar in many ways, but they are different. For information about each variant, see the specific topic.

In PolarDB for PostgreSQL(Compatible with Oracle), the concept of users and groups is unified into a single type of entity that is called a role. A user is a role that has the LOGIN attribute. You can use the role to create a session and connect to an application. A group is a role that does not have the LOGIN attribute. You cannot use the role to create a session or connect to an application.

A role can be a member of one or more other roles. Therefore, the traditional concept of user membership in groups is still valid. However, users can belong to users and groups due to the generalization of users and groups. This forms a general multi-level hierarchy of roles. Whether a grantee is a user or a group is not distinguished in the GRANT command, because usernames and group names share the same namespace.