<!--

$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.78 2009/10/05 19:24:34 tgl Exp $

$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.79 2009/10/12 20:39:39 tgl Exp $

PostgreSQL documentation

-->

<synopsis>

GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }

[,...] | ALL [ PRIVILEGES ] }

ON [ TABLE ] <replaceable class="PARAMETER">table_name</replaceable> [, ...]

ON { [ TABLE ] <replaceable class="PARAMETER">table_name</replaceable> [, ...]

| ALL TABLES IN SCHEMA <replaceable class="PARAMETER">schema_name</replaceable> [, ...] }

TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { { SELECT | INSERT | UPDATE | REFERENCES } ( <replaceable class="PARAMETER">column</replaceable> [, ...] )

GRANT { { USAGE | SELECT | UPDATE }

[,...] | ALL [ PRIVILEGES ] }

ON SEQUENCE <replaceable class="PARAMETER">sequence_name</replaceable> [, ...]

ON { SEQUENCE <replaceable class="PARAMETER">sequence_name</replaceable> [, ...]

| ALL SEQUENCES IN SCHEMA <replaceable class="PARAMETER">schema_name</replaceable> [, ...] }

TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }

TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { EXECUTE | ALL [ PRIVILEGES ] }

ON FUNCTION <replaceable>function_name</replaceable> ( [ [ <replaceable class="parameter">argmode</replaceable> ] [ <replaceable class="parameter">arg_name</replaceable> ] <replaceable class="parameter">arg_type</replaceable> [, ...] ] ) [, ...]

ON { FUNCTION <replaceable>function_name</replaceable> ( [ [ <replaceable class="parameter">argmode</replaceable> ] [ <replaceable class="parameter">arg_name</replaceable> ] <replaceable class="parameter">arg_type</replaceable> [, ...] ] ) [, ...]

| ALL FUNCTIONS IN SCHEMA <replaceable class="PARAMETER">schema_name</replaceable> [, ...] }

TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }

to those already granted, if any.

</para>

<para>

There is also an option to grant privileges on all objects of the same

type within one or more schemas. This functionality is currently supported

only for tables, sequences, and functions (but note that <literal>ALL

TABLES</> is considered to include views).

</para>

<para>

The key word <literal>PUBLIC</literal> indicates that the

privileges are to be granted to all roles, including those that might

<!--

$PostgreSQL: pgsql/doc/src/sgml/ref/revoke.sgml,v 1.52 2009/09/19 10:23:27 petere Exp $

$PostgreSQL: pgsql/doc/src/sgml/ref/revoke.sgml,v 1.53 2009/10/12 20:39:39 tgl Exp $

PostgreSQL documentation

-->

REVOKE [ GRANT OPTION FOR ]

{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }

[,...] | ALL [ PRIVILEGES ] }

ON [ TABLE ] <replaceable class="PARAMETER">table_name</replaceable> [, ...]

ON { [ TABLE ] <replaceable class="PARAMETER">table_name</replaceable> [, ...]

| ALL TABLES IN SCHEMA <replaceable>schema_name</replaceable> [, ...] }

FROM { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...]

[ CASCADE | RESTRICT ]

REVOKE [ GRANT OPTION FOR ]

{ { USAGE | SELECT | UPDATE }

[,...] | ALL [ PRIVILEGES ] }

ON SEQUENCE <replaceable class="PARAMETER">sequence_name</replaceable> [, ...]

ON { SEQUENCE <replaceable class="PARAMETER">sequence_name</replaceable> [, ...]

| ALL SEQUENCES IN SCHEMA <replaceable>schema_name</replaceable> [, ...] }

FROM { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...]

[ CASCADE | RESTRICT ]

REVOKE [ GRANT OPTION FOR ]

{ EXECUTE | ALL [ PRIVILEGES ] }

ON FUNCTION <replaceable>function_name</replaceable> ( [ [ <replaceable class="parameter">argmode</replaceable> ] [ <replaceable class="parameter">arg_name</replaceable> ] <replaceable class="parameter">arg_type</replaceable> [, ...] ] ) [, ...]

ON { FUNCTION <replaceable>function_name</replaceable> ( [ [ <replaceable class="parameter">argmode</replaceable> ] [ <replaceable class="parameter">arg_name</replaceable> ] <replaceable class="parameter">arg_type</replaceable> [, ...] ] ) [, ...]

| ALL FUNCTIONS IN SCHEMA <replaceable>schema_name</replaceable> [, ...] }

FROM { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...]

[ CASCADE | RESTRICT ]

staticvoidSetDefaultACL(InternalDefaultACL*iacls);

staticList*objectNamesToOids(GrantObjectTypeobjtype,List*objnames);

staticList*objectsInSchemaToOids(GrantObjectTypeobjtype,List*nspnames);

staticList*getRelationsInNamespace(OidnamespaceId,charrelkind);

staticvoidexpand_col_privileges(List*colnames,Oidtable_oid,

AclModethis_privileges,

AclMode*col_privileges,

istmt.is_grant=stmt->is_grant;

istmt.objtype=stmt->objtype;

istmt.objects=objectNamesToOids(stmt->objtype,stmt->objects);

switch (stmt->targtype)

{

caseACL_TARGET_OBJECT:

istmt.objects=objectNamesToOids(stmt->objtype,stmt->objects);

break;

caseACL_TARGET_ALL_IN_SCHEMA:

istmt.objects=objectsInSchemaToOids(stmt->objtype,stmt->objects);

break;

default:

elog(ERROR,"unrecognized GrantStmt.targtype: %d",

(int)stmt->targtype);

}

istmt.col_privs=NIL;/* may get filled below */

returnobjects;

}

objectsInSchemaToOids(GrantObjectTypeobjtype,List*nspnames)

{

List*objects=NIL;

ListCell*cell;

foreach(cell,nspnames)

{

char*nspname=strVal(lfirst(cell));

OidnamespaceId;

List*objs;

namespaceId=LookupExplicitNamespace(nspname);

switch (objtype)

{

caseACL_OBJECT_RELATION:

objs=getRelationsInNamespace(namespaceId,RELKIND_RELATION);

objects=list_concat(objects,objs);

objs=getRelationsInNamespace(namespaceId,RELKIND_VIEW);

objects=list_concat(objects,objs);

break;

caseACL_OBJECT_SEQUENCE:

objs=getRelationsInNamespace(namespaceId,RELKIND_SEQUENCE);

objects=list_concat(objects,objs);

break;

caseACL_OBJECT_FUNCTION:

{

ScanKeyDatakey[1];

Relationrel;

HeapScanDescscan;

HeapTupletuple;

ScanKeyInit(&key[0],

Anum_pg_proc_pronamespace,

BTEqualStrategyNumber,F_OIDEQ,

ObjectIdGetDatum(namespaceId));

rel=heap_open(ProcedureRelationId,AccessShareLock);

scan=heap_beginscan(rel,SnapshotNow,1,key);

while ((tuple=heap_getnext(scan,ForwardScanDirection))!=NULL)

{

objects=lappend_oid(objects,HeapTupleGetOid(tuple));

}

heap_endscan(scan);

heap_close(rel,AccessShareLock);

}

break;

default:

elog(ERROR,"unrecognized GrantStmt.objtype: %d",

(int)objtype);

}

}

returnobjects;

}

getRelationsInNamespace(OidnamespaceId,charrelkind)

{

List*relations=NIL;

ScanKeyDatakey[2];

Relationrel;

HeapScanDescscan;

HeapTupletuple;

ScanKeyInit(&key[0],

Anum_pg_class_relnamespace,

BTEqualStrategyNumber,F_OIDEQ,

ObjectIdGetDatum(namespaceId));

ScanKeyInit(&key[1],

Anum_pg_class_relkind,

BTEqualStrategyNumber,F_CHAREQ,

CharGetDatum(relkind));

rel=heap_open(RelationRelationId,AccessShareLock);

scan=heap_beginscan(rel,SnapshotNow,2,key);

while ((tuple=heap_getnext(scan,ForwardScanDirection))!=NULL)

{

relations=lappend_oid(relations,HeapTupleGetOid(tuple));

}

heap_endscan(scan);

heap_close(rel,AccessShareLock);

returnrelations;

}

GrantStmt*newnode=makeNode(GrantStmt);

COPY_SCALAR_FIELD(is_grant);

COPY_SCALAR_FIELD(targtype);

COPY_SCALAR_FIELD(objtype);

COPY_NODE_FIELD(objects);

COPY_NODE_FIELD(privileges);

_equalGrantStmt(GrantStmt*a,GrantStmt*b)

{

COMPARE_SCALAR_FIELD(is_grant);

COMPARE_SCALAR_FIELD(targtype);

COMPARE_SCALAR_FIELD(objtype);

COMPARE_NODE_FIELD(objects);

COMPARE_NODE_FIELD(privileges);