<!--

$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.22 2002/04/21 00:26:42 tgl Exp $

$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.23 2002/04/22 19:17:40 tgl Exp $

PostgreSQL documentation

-->

<term>CREATE</term>

<listitem>

<para>

For databases, allows new schemas to be createdin the database.

For databases, allows new schemas to be createdwithin the database.

</para>

<para>

For schemas, allows new objects to be created within the specified

schema.

For schemas, allows new objects to be created within the schema.

</para>

</listitem>

</varlistentry>

of privilege that is applicable to procedural languages.

</para>

<para>

For schemas, allowsthe use of objects contained in the specified

For schemas, allowsaccess to objects contained in the specified

schema (assuming that the objects' own privilege requirements are

met). Essentially this allows the grantee to <quote>look up</>

alsomet). Essentially this allows the grantee to <quote>look up</>

objects within the schema.

</para>

</listitem>

<refsect1 id="SQL-GRANT-notes">

<title>Notes</title>

<para>

The <xref linkend="sql-revoke" endterm="sql-revoke-title"> command is used

to revoke access privileges.

</para>

<para>

It should be noted that database <firstterm>superusers</> can access

all objects regardless of object privilege settings. This

<para>

Use <xref linkend="app-psql">'s <command>\z</command> command

to obtain information about privileges

on existing objects:

to obtain information about existing privileges, for example:

<programlisting>

lusitania=> \z mytable

Access privileges for database "lusitania"

Table | Access privileges

---------+---------------------------------------

mytable | {=r,miriam=arwdRxt,"group todos=arw"}

</programlisting>

The entries shown by <command>\z</command> are interpreted thus:

<programlisting>

Database = lusitania

+------------------+---------------------------------------------+

| Relation | Grant/Revoke Permissions |

+------------------+---------------------------------------------+

| mytable | {"=rw","miriam=arwdRxt","group todos=rw"} |

+------------------+---------------------------------------------+

Legend:

uname=arwR -- privileges granted to a user

group gname=arwR -- privileges granted to a group

=arwR -- privileges granted to PUBLIC

=xxxx -- privileges granted to PUBLIC

uname=xxxx -- privileges granted to a user

group gname=xxxx -- privileges granted to a group

r -- SELECT ("read")

w -- UPDATE ("write")

C -- CREATE

T -- TEMPORARY

arwdRxt -- ALL PRIVILEGES (for tables)

</programlisting>

The above example display would be seen by user <literal>miriam</> after

creating table <literal>mytable</> and doing

<programlisting>

GRANT SELECT ON mytable TO PUBLIC;

GRANT SELECT,UPDATE,INSERT ON mytable TO GROUP todos;

</programlisting>

</para>

<para>

The <xref linkend="sql-revoke" endterm="sql-revoke-title"> command is used to revoke access

privileges.

If the <quote>Access privileges</> column is empty for a given object,

it means the object has default privileges (that is, its privileges field

is NULL). Currently, default privileges are interpreted the same way

for all object types: all privileges for the owner and no privileges for

anyone else. The first <command>GRANT</> on an object will instantiate

this default (producing, for example, <literal>{=,miriam=arwdRxt}</>)

and then modify it per the specified request.

</para>

</refsect1>