Informix Guide to SQL: Syntax

Informix Guide to SQL: Syntax
Chapter 1: SQL Statements

Home Contents Index Master Index New Book

SQL Statements

GRANT

authorize others to use, develop, or administrate a database that you create.
allow others to view, alter, or drop a table, synonym, or view that you create.
allow others to use a data type or execute a routine that you create.
give a role name and its privileges to one or more users.

As database owner, you also automatically receive table-level privileges on all tables in the database. For more information about table-level privileges, see "Table-Level Privileges".

Database access levels are, from lowest to highest, Connect, Resource, and DBA. Use the corresponding keyword to grant a level of access privilege.

(1 of 2)

Privilege Permissible Tasks
CONNECT
Any user with the Connect privilege can perform the following tasks:

Connect to the database with the CONNECT statement or another connection statement
Execute SELECT, INSERT, UPDATE, and DELETE statements, provided the user has the necessary table-level privileges
Create views, provided the user has the Select privilege on the underlying tables
Create synonyms
Create temporary tables and create indexes on the temporary tables
A user with the Connect privilege and appropriate table-level privileges can also do the following:
Alter or drop a table or index
Grant table-level privileges

RESOURCE
Gives you the ability to extend the structure of the database. In addition to the capabilities of the Connect privilege, the holder of the Resource privilege can perform the following tasks:

Create new tables
Create new indexes
Create new routines
Create new data types

DBA
Has all the capabilities of the Resource privilege as well as the ability to perform the following tasks:

Grant any database-level privilege, including the DBA privilege, to another user
Grant any table-level privilege to another user
Grant any table-level privilege to a role
Grant a role to a user or to another role
Execute the SET SESSION AUTHORIZATION statement
Use the NEXT SIZE keyword to alter extent sizes in the system catalog
Drop any object, regardless of its owner
Create tables, views, and indexes, and specify another user as owner of the objects
Restrict the Execute privilege to DBAs when registering a routine
Execute the DROP DATABASE statement
Execute the DROP DISTRIBUTIONS option of the UPDATE STATISTICS statement
Insert, delete, or update rows of any system catalog table except systables

Only user informix can update systables. You cannot grant this privilege.

Warning: Informix strongly recommends that you do not update, delete, or alter any rows in the system catalog tables. Modifying the system catalog tables can destroy the integrity of the database.

Table-Level Privileges

When you create a table with the CREATE TABLE statement, you are the table owner and automatically receive all table-level privileges. You cannot transfer table ownership to another user, but you can grant table-level privileges to another user or to a role.

A person with the database-level DBA privilege automatically receives all table-level privileges on every table in that database.

Element Purpose Restrictions Syntax
column name
The name of the column or columns to which a Select, Update, or References privilege is granted. If you omit column name, the privilege applies to all columns in the specified table.
The specified column or columns must exist.
Identifier, p. 1-966

The table that follows lists keywords for granting table-level privileges.

(1 of 2)

Privilege Functions
INSERT
Enables the grantee to insert rows into a table, view, or synonym.

DELETE
Enables the grantee to delete rows from a table, view, or synonym.

SELECT
Enables the grantee to select and view data. By default, the grantee can specify any column names from your table in a SELECT statement or SELECT *. You can limit selection to only certain columns from your table if you explicitly list their column names in the GRANT SELECT statement.

UPDATE
Enables the grantee to change data. By default, the grantee can specify any column names from your table in an UPDATE statement. To enable the grantee to update only certain columns, explicitly list their column names in the GRANT UPDATE statement.

Enables the grantee to:

reference columns of your table as foreign keys.
create constraints that cascade deletes to foreign keys.
By default, a grantee can specify any column names from your table as a foreign key. To enable the grantee to reference only certain columns, explicitly list their column names in the GRANT REFERENCES statement.
A grantee must also have the appropriate additional privileges to invoke the statement that creates, adds, or modifies a column to contain foreign keys. (For example, CREATE TABLE requires the Resource privilege.)

INDEX

Enables the grantee to create permanent indexes on a table. Has no effect unless the grantee also has database-level Resource privilege.

ALTER
Enables the grantee to perform all the functions provided by the ALTER TABLE statement, such as:

add or delete columns.
modify column data types.
add or delete constraints on column values.
set the object mode of indexes, constraints, and triggers.
change the locking mode of the table from PAGE to ROW.
add or drop a corresponding row type name for your table.
The Alter privilege has no effect unless the grantee also has the database-level Resource privilege. The Usage privilege is also required for any user-defined type effected by the ALTER TABLE statement.

ALL
Provides all table-level privileges with a single keyword. You can optionally use the longer form ALL PRIVILEGES.
For some of the individual table-level privileges covered by ALL to take effect, the recipient needs additional authorization. (See "Behavior of the ALL Keyword" for details.)

You can narrow the scope of a Select, Update, or References privilege by naming the specific columns to which the privilege applies.

Specify keyword PUBLIC as user if you want a GRANT statement to apply to all users.

Examples

The following statement grants the privilege to delete and select values in any column in the table customer to users mary and john. It also grants the Update privilege, but only for columns customer_num, fname, and lname.

GRANT  DELETE,  SELECT,  UPDATE  (customer_num,  fname,  lname)

	ON  customer  TO  mary,  john

To grant the same privileges as those above to all authorized users, use the keyword PUBLIC as shown in the following example:

GRANT  DELETE,  SELECT,  UPDATE  (customer_num,  fname,  lname)

	ON  customer  TO  PUBLIC

Behavior of the ALL Keyword

The ALL keyword grants all table-level privileges to the specified user. If any a grantee lacks additional privileges required to use a table-level privilege, the GRANT statement with the ALL keyword succeeds, but the following SQLSTATE warning is returned:

01007 - Privilege not granted.

For example, assume that the user ted has the Select and Insert privileges on the customer table with the authority to grant those privileges to other users. User ted wants to grant all table-level privileges to user tania. So user ted issues the following GRANT statement:

GRANT ALL ON customer TO tania

This statement executes successfully but returns SQLSTATE code 01007 for the following reasons:

The statement succeeds in granting the Select and Insert privileges to user tania. User ted has those privileges and the right to grant those privileges to other users.
User ted can not grant the Delete, Update, References, Index, and Alter privileges because he does not have them. User tania does not have them either.

Table Reference

You grant table-level privileges directly by referencing the table name or an existing synonym. You can also grant table-level privileges on a view.

Privileges on Table Name and Synonym Name

Normally, when you create a table in a database that is not ANSI compliant, public receives Select, Insert, Delete, Under, and Update privileges for that table and its synonyms. (The NODEFDAC environment variable, when set to yes, prevents public from automatically receiving table-level privileges.)

To allow access to only certain users, explicitly revoke those privileges public automatically receives and then grant only those you want, as the following example shows:

REVOKE  ALL  ON  customer  FROM  PUBLIC

GRANT  ALL  ON  customer  TO  john,  mary

GRANT  SELECT  (fname,  lname,  company,  city) 

	ON  customer  TO  PUBLIC

ANSI

If you create a table in an ANSI-compliant database, only you, as table owner, have any table-level privileges until you explicitly grant privileges to others.

As explained in the next section, "Privileges on a View," public does not automatically receive any privileges for a view that you create.

Privileges on a View

You must have at least the Select privilege on a table or columns to create a view on that table. You have the same privileges for the view that you have for the table or tables contributing data to the view. For example, if you create a view from a table to which you have only Select privileges, you can select data from your view but you cannot delete or update data.

For detailed information on how to create a view, see "CREATE VIEW".

When you create a view, only you have access to table data through that view. Even users who have privileges on the base table of the view do not automatically receive privileges for the view.

You can grant (or revoke) privileges on a view only if you are the owner of the underlying tables or if you received these privileges on the table with the right to grant them (the WITH GRANT OPTION keyword). You must explicitly grant those privileges within your authority; public does not automatically receive privileges on a view.

The creator of a view can explicitly grant Select, Insert, Delete, and Update privileges for the view to other users or to a role name. You cannot grant Index, Alter, or References privileges on a view (or the All privilege because All includes Index, References, and Alter).

Type-Level Privileges

You own a user-defined data type that you create. As owner, you automatically receive the Usage privilege on that data type and can grant the Usage privilege to others so that they can reference the type name or reference data of that type in SQL statements. DBAs can also grant the Usage privilege for user-defined data types.

If you grant the Usage privilege to a user or role that has Alter privileges, that person can add a column to the table that contains data of your user-defined type.

Element Purpose Restrictions Syntax
type name
The name of the user-defined data type to which the Usage privilege is granted
The specified data type must exist.
Data Type, p. 1-859

Without a GRANT statement, any user can create SQL statements that contain built-in data types. By contrast, a user must receive an explicit Usage privilege from a GRANT statement to use a distinct data type, even if the distinct type is based on a built-in type.

For more information about user-defined types, see CREATE OPAQUE TYPE and CREATE DISTINCT TYPE in this manual, the Chapter 2, "Data Types" in the Informix Guide to SQL: Syntax, andChapter 10, "Understanding Complex Data Types" in the Informix Guide to SQL: Tutorial.

Routine-Level Privileges

The generic term user-defined routine refers to both a user-defined function and a user-defined procedure. A function returns one or more values; a procedure does not.

When you create a user-defined routine with the CREATE FUNCTION or CREATE PROCEDURE statement, you own, and automatically receive the Execute privilege on, that routine. The Execute privilege allows you to invoke the user-defined routine with an EXECUTE FUNCTION or EXECUTE PROCEDURE statement, or with a CALL statement in an SPL routine. The Execute privilege also permits use of a function in an expression, as in the following example:

SELECT * FROM table WHERE in_stock(partnum) < 20


Element	Purpose	Restrictions	Syntax
routine name	The name given to the user-defined routine in a `CREATE FUNCTION` or `CREATE` `PROCEDURE` statement	The identifier must refer to an existing user-defined routine. In an `ANSI`-compliant database, specify the owner as the prefix to the routine name.	Function Name, p. 1-963 or Procedure Name, p. 1-1008

Privilege Functions
SPECIFIC
Grants the Execute privilege for the routine identified by specific name.

FUNCTION
Grants the Execute privilege for any user-defined function with the specified routine name (and parameter types that match routine parameter list, if supplied).

PROCEDURE
Grants the Execute privilege for any user-defined procedure with the specified routine name (and parameter types that match routine parameter list, if supplied).

ROUTINE
Grants Execution privilege for user-defined functions and user-defined procedures with the specified routine name (and parameter types that match routine parameter list, if supplied).

If both a function and a procedure have the same name and list of parameter types, you can grant the Execute privilege to both with the keyword ROUTINE. To limit the Execute privilege to one version of the same routine name, use keyword FUNCTION, PROCEDURE, or SPECIFIC.

To limit the Execute privilege to a user-defined routine that accepts particular data types as arguments, include the data types as the routine parameter list in the GRANT statement or use the SPECIFIC keyword if a specific name exists for that routine and parameter list.

The requirement to grant the Execute privilege explicitly depends on the following conditions:

If you have DBA-level privileges, you can use the DBA keyword of CREATE FUNCTION or CREATE PROCEDURE to restrict the default Execute privilege to users with the DBA database-level privilege. You must explicitly grant the Execute privilege on that routine to users who do not have the DBA privilege.
If you have the Resource database-level privilege, but not the DBA privilege, you cannot use the DBA keyword when you create a routine:
- When you create a routine in a database that is not ANSI compliant, public can execute that routine. You do not need to issue a GRANT statement for the Execute privilege.
- The NODEFDAC environment variable, when set to yes, prevents public from executing your routine until you explicitly grant the Execute privilege.
ANSI
In an ANSI-compliant database, the creator of a routine must explicitly grant the Execute privilege on that routine.

User List

You can grant privileges to an individual user or a list of users. You can also use the PUBLIC keyword to grant privileges to all users.

Element Purpose Restrictions Syntax
user
The login name to receive the role or privilege granted
Put quotes around user to ensure that the name of the user is stored exactly as you type it.
Use the single keyword PUBLIC for user to grant a role or privilege to all authorized users.
Identifier, p. 1-966

The following example grants the table-level privilege Insert on table1 to the user named mary in a database that is not ANSI compliant:

GRANT INSERT ON table1 TO mary

In an ANSI-compliant database, if you do not use quotes around user, the name of the user is stored in uppercase letters.

Role Name

You can identify one or more users by a name that describes their function, or role. You create the role then grant the role to one or more users. You can also grant a role to another role.

After you create and grant a role, you can grant certain privileges to the one or more users associated with that role name.

Element Purpose Restrictions Syntax
role name
The name of the role that is granted, or the name of the role to which a privilege or another role is granted
The role must have been created with the CREATE ROLE statement.
Identifier, p. 1-966

Granting a Role to a User or Another Role

The CREATE ROLE statement (page 1-193) must add a role name to the database before anyone can use that role name in a GRANT statement.

A DBA has the authority to grant a new role to another user. If a user receives a role WITH GRANT OPTION (page 1-477), that user can grant the role to other users or to another role. Users keep a role granted to them until a REVOKE statement breaks the association between their login names and the role name.

Important: CREATE ROLE and GRANT do not activate the role. A role has no effect until the SET ROLE statement enables it. A role grantor or a role grantee can issue the SET ROLE.

The following example shows the sequence required to grant and activate the role payables to a group of employees who perform account payables functions. First the DBA creates role payables, then grants it to maryf.

CREATE ROLE payables;
GRANT payables TO maryf WITH GRANT OPTION

The DBA or maryf can activate the role with the following statement:

SET ROLE payables

User maryf has the WITH GRANT OPTION authorization to grant payables to other employees who pay accounts.

GRANT payables TO charly, gene, marvin, raoul

If you grant privileges for one role to another role, the recipient role has a combined set of privileges. The following example grants the role petty_cash to the role payables:

CREATE ROLE petty_cash
SET ROLE petty_cash
GRANT petty_cash TO payables

If you attempt to grant a role to itself, either directly or indirectly, the database server generates an error.

Granting a Privilege to a Role

You can grant table-, type-, and routine-level privileges to a role if you have the authority to grant these same privileges to login names or PUBLIC. A role cannot have database-level privileges.

When you grant a privilege to a role:

you can specify the AS grantor clause (page 1-477). In this way, the people who have the role can revoke these same privileges.
you cannot include the WITH GRANT OPTION clause. A role cannot, in turn, grant the same table-, type-, or routine-level privileges to another user.

The following example grants the table-level privilege Insert on the supplier table to the role payables:

GRANT INSERT ON supplier TO payables

Anyone granted the role of payables can now insert into supplier.

WITH GRANT OPTION Clause

The WITH GRANT OPTION clause creates a chain of grantors. When you include this clause to a GRANT statement, you grant privileges to user and authorize user to grant the same privileges to others.

If you use the WITH GRANT OPTION to grant privileges, you forfeit control over the future dissemination of those privileges.

If you revoke a privilege you granted with the WITH GRANT OPTION, you revoke the privilege from all users who received it as a result of the WITH GRANT OPTION chain that you initiated. (See "Revoking Privileges Granted WITH GRANT OPTION" for examples.)

If you want to create a chain of privileges with another user as the source of the privilege, use the AS grantor clause. In that case, grantor can revoke all privileges along the WITH GRANT OPTION chain.

AS grantor Clause

If you issue a GRANT command with the AS grantor clause, you relinquish the right to revoke the privileges that you grant to the named grantor. The login given in the AS grantor clause replaces your login in the systabauth system catalog table.

Important: You cannot reverse the AS grantor clause. Once you commit a GRANT naming another as grantor, that person retains the sole right to revoke that GRANT.

The remaining code fragments in this section illustrate the effects of AS grantor.

As owner of the items table, you grant all privileges to the user tom.

REVOKE  ALL  ON  items  FROM  PUBLIC;

GRANT  ALL  ON  items  TO  tom

The system catalog systabauth shows your login as grantor; you retain the right to revoke all privileges on items from the user tom.

You also grant Select and Update privileges to the user jim, but you specify tom as grantor.

GRANT SELECT, UPDATE ON items TO jim AS tom

The system catalog systabauth shows tom as grantor; only tom can revoke Select and Update privileges on items from the user jim. Later, you decide to revoke privileges on the items table from the user tom, so you issue the following statement:

REVOKE ALL  ON items FROM tom

When you try to revoke the privileges on items from the user jim, the database server returns an error, as the following example shows:

REVOKE SELECT, UPDATE ON items FROM jim



580: Cannot revoke permission.

The database server issues the error because it has tom recorded as the original grantor, which you cannot change. Even a table owner cannot revoke a privilege that another user granted.

References

See the GRANT FRAGMENT, REVOKE, and REVOKE FRAGMENT statements in this manual.

For more information about routines and parameter lists, see the CREATE FUNCTION and CREATE PROCEDURE in this manual.

For information on roles, see the CREATE ROLE, DROP ROLE, and SET ROLE statements in this manual.

In the Informix Guide to SQL: Tutorial, see the discussions of database-level privileges and table-level privileges in Chapter 4 and the discussion of privileges and security in Chapter 11.

GRANT FRAGMENT

The GRANT FRAGMENT statement enables you to grant Insert, Update, and Delete privileges on individual fragments of a fragmented table.

Syntax

(1 of 2)

Element Purpose Restrictions Syntax
dbspace
The name of the dbspace where the fragment is stored. Use this parameter to specify the fragment or fragments on which privileges are to be granted. There is no default value.
You must specify at least one dbspace. The specified dbspaces must exist.
Identifier, p. 1-966

grantor
The name of the user who is to be listed as the grantor of the specified privileges in the grantor column of the sysfragauth system catalog table. The user who issues the `GRANT FRAGMENT` statement is the default grantor of the privileges.
The user specified in grantor must be a valid user.
Identifier, p. 1-966

table name
The name of the table that contains the fragment or fragments on which privileges are to be granted. There is no default value.
The specified table must exist and must be fragmented by expression.
Table Name, p. 1-1048

user
The name of the user or users to whom the specified privileges are to be granted. There is no default value.
If you put quotes around user, the name of the user is stored exactly as you typed it. In an `ANSI`-compliant database, the name of the user is stored as uppercase letters if you do not use quotes around user.
Identifier, p. 1-966

Usage

The GRANT FRAGMENT statement is similar to the GRANT statement. Both statements grant privileges to users. The difference between the two statements is that you use GRANT to grant privileges on a table while you use GRANT FRAGMENT to grant privileges on table fragments.

Use the GRANT FRAGMENT statement to grant the Insert, Update, or Delete privilege on one or more fragments of a table to one or more users.

The GRANT FRAGMENT statement is valid only for tables that are fragmented according to an expression-based distribution scheme. For an explanation of expression-based distribution schemes, see the ALTER FRAGMENT statement on page 1-29.

Fragment-Level Privileges

The following table defines each of the fragment-level privileges.


Privilege	Functions
`ALL`	Grants Insert, Update, and Delete privileges on a table fragment.
`INSERT`	Grants Insert privilege on a table fragment. This privilege gives the user the ability to insert rows in the fragment.
`DELETE`	Grants Delete privilege on a table fragment. This privilege gives the user the ability to delete rows in the fragment.
`UPDATE`	Grants Update privilege on a table fragment. This privilege gives the user the ability to update rows in the fragment and to name any column of the table in an `UPDATE` statement.

Definition of Fragment-Level Authority

When a fragmented table is created in an ANSI-compliant database, the table owner implicitly receives all table-level privileges on the new table, but no other users receive privileges.

When a fragmented table is created in a database that is not ANSI compliant, the table owner implicitly receives all table-level privileges on the new table, and other users (that is, PUBLIC) receive the following default set of privileges on the table: Select, Update, Insert, Delete, and Index. The privileges granted to PUBLIC are explicitly recorded in the systabauth system catalog table.

A user who has table privileges on a fragmented table has the privileges implicitly on all fragments of the table. These privileges are not recorded in the sysfragauth system catalog table.

Whether or not the database is ANSI compliant, you can use the GRANT FRAGMENT statement to grant explicit Insert, Update, and Delete privileges on one or more fragments of a table that is fragmented by expression. The privileges granted by the GRANT FRAGMENT statement are explicitly recorded in the sysfragauth system catalog table.

The Insert, Update, and Delete privileges that are conferred on table fragments by the GRANT FRAGMENT statement are collectively known as fragment-level privileges or fragment-level authority.

Role of Fragment-Level Authority in Command Validation

Fragment-level authority lets users execute INSERT, DELETE, and UPDATE statements on table fragments even if they lack Insert, Update, and Delete privileges on the table as a whole. Users who lack privileges at the table level can insert, delete, and update rows in authorized fragments because of the algorithm by which INFORMIX-Universal Server validates commands. This algorithm consists of the following checks:

1. When a user executes an INSERT, DELETE, or UPDATE statement, the database server first checks whether the user has the table authority necessary for the operation attempted. If the table authority exists, the command continues processing.

2. If the table authority does not exist, the database server checks whether the table is fragmented by expression. If the table is not fragmented by expression, the database server returns an error to the user. This error indicates that the user does not have the privilege to execute the command.

3. If the table is fragmented by expression, the database server checks whether the user has the fragment authority necessary for the operation attempted. If the fragment authority exists, the command continues processing. If the fragment authority does not exist, the database server returns an error to the user. This error indicates that the user does not have the privilege to execute the command.

Duration of Fragment-Level Authority

The duration of fragment-level authority is tied to the duration of the fragmentation strategy for the table as a whole.

If you drop a fragmentation strategy by means of a DROP TABLE statement or the INIT, DROP, or DETACH clauses of an ALTER FRAGMENT statement, you also drop any authorities that exist for the affected fragments. Similarly, if you drop a dbspace, you also drop any authorities that exist for the fragment that resides in that dbspace.

Tables that are created as a result of a DETACH or INIT clause of an ALTER FRAGMENT statement do not keep the authorities that the former fragment or fragments had when they were part of the fragmented table. Instead, such tables assume the default table authorities.

If a table with fragment authorities defined on it is changed to a table with a round-robin strategy or some other expression strategy, the fragment authorities are also dropped, and the table assumes the default table authorities.

Granting Privileges on One Fragment or a List of Fragments

You can grant fragment-level privileges on one fragment of a table or on a list of fragments.

Granting Privileges on One Fragment

The following statement grants the Insert, Update, and Delete privileges on the fragment of the customer table in dbsp1 to the user larry:

GRANT FRAGMENT ALL ON customer (dbsp1) TO larry

Granting Privileges on More Than One Fragment

The following statement grants the Insert, Update, and Delete privileges on the fragments of the customer table in dbsp1 and dbsp2 to the user millie:

GRANT FRAGMENT ALL ON customer (dbsp1, dbsp2) TO millie

Granting Privileges on All Fragments of a Table

If you want to grant privileges on all fragments of a table to the same user or users, you can use the GRANT statement instead of the GRANT FRAGMENT statement. However, you can also use the GRANT FRAGMENT statement for this purpose.

Assume that the customer table is fragmented by expression into three fragments, and these fragments reside in the dbspaces named dbsp1, dbsp2, and dbsp3. You can use either of the following statements to grant the Insert privilege on all fragments of the table to the user helen:

GRANT FRAGMENT INSERT ON customer (dbsp1, dbsp2, dbsp3)

TO helen;



GRANT INSERT ON customer TO helen;

Granting Privileges to One User or a List of Users

You can grant fragment-level privileges to a single user or to a list of users.

Granting Privileges to One User

The following statement grants the Insert, Update, and Delete privileges on the fragment of the customer table in dbsp3 to the user oswald:

GRANT FRAGMENT ALL ON customer (dbsp3) TO oswald

Granting Privileges to a List of Users

The following statement grants the Insert, Update, and Delete privileges on the fragment of the customer table in dbsp3 to the users jerome and hilda:

GRANT FRAGMENT ALL ON customer (dbsp3) TO jerome, hilda

Granting One Privilege or a List of Privileges

When you specify fragment-level privileges in a GRANT FRAGMENT statement, you can specify one privilege, a list of privileges, or all privileges.

Granting One Privilege

The following statement grants the Update privilege on the fragment of the customer table in dbsp1 to the user ed:

GRANT FRAGMENT UPDATE ON customer (dbsp1) TO ed

Granting a List of Privileges

The following statement grants the Update and Insert privileges on the fragment of the customer table in dbsp1 to the user susan:

GRANT FRAGMENT UPDATE, INSERT ON customer (dbsp1) TO susan

Granting All Privileges

The following statement grants the Insert, Update, and Delete privileges on the fragment of the customer table in dbsp1 to the user harry:

GRANT FRAGMENT ALL ON customer (dbsp1) TO harry

WITH GRANT OPTION Clause

By including the WITH GRANT OPTION clause in the GRANT FRAGMENT statement, you convey the specified fragment-level privileges to a user and the right to grant those same privileges to other users.

The following statement grants the Update privilege on the fragment of the customer table in dbsp3 to the user george and gives this user the right to grant the Update privilege on the same fragment to other users:

GRANT FRAGMENT UPDATE ON customer (dbsp3) TO george

	WITH GRANT OPTION

AS grantor Clause

The AS grantor clause is optional in a GRANT FRAGMENT statement. Use this clause to specify the grantor of the privilege.

Including the AS grantor Clause

When you include the AS grantor clause in the GRANT FRAGMENT statement, you specify that the user who is named in the grantor parameter is listed as the grantor of the privilege in the grantor column of the sysfragauth system catalog table.

In the following example, the DBA grants the Delete privilege on the fragment of the customer table in dbsp3 to the user martha. In the GRANT FRAGMENT statement, the DBA uses the AS grantor clause to specify that the user jack is listed as the grantor of the privilege in the sysfragauth system catalog table.

GRANT FRAGMENT DELETE ON customer (dbsp3) TO martha AS jack

Omitting the AS grantor Clause

When a GRANT FRAGMENT statement does not include the AS grantor clause, the user who issues the statement is the default grantor of the privileges that are specified in the statement.

In the following example, the user grants the Update privilege on the fragment of the customer table in dbsp3 to the user fred. Because this statement does not specify the AS grantor clause, the user who issues the statement is listed by default as the grantor of the privilege in the sysfragauth system catalog table.

GRANT FRAGMENT UPDATE ON customer (dbsp3) TO fred

Consequences of the AS grantor Clause

If you omit the AS grantor clause, or if you specify your own user name in the grantor parameter, you can later revoke the privilege that you granted to the specified user. However, if you specify someone other than yourself as the grantor of the specified privilege to the specified user, only that grantor can revoke the privilege from the user.

For example, if you grant the Delete privilege on the fragment of the customer table in dbsp3 to user martha but specify user jack as the grantor of the privilege, user jack can revoke that privilege from user martha, but you cannot revoke that privilege from user martha.

References

See the GRANT and REVOKE FRAGMENT statements in this manual.

Informix Guide to SQL: SyntaxChapter 1: SQL Statements Home Contents Index Master Index New Book

SQL Statements

GRANT

Syntax

Behavior of the ALL Keyword

Table Reference

User List

Usage

Duration of Fragment-Level Authority

Granting Privileges on More Than One Fragment

Granting Privileges on All Fragments of a Table

Granting Privileges to One User or a List of Users

Granting Privileges to a List of Users

Granting One Privilege or a List of Privileges

Granting a List of Privileges

Granting All Privileges

WITH GRANT OPTION Clause

AS grantor Clause

Omitting the AS grantor Clause

Consequences of the AS grantor Clause

Informix Guide to SQL: Syntax
Chapter 1: SQL Statements

Home Contents Index Master Index New Book