The database server looks first for privileges that are granted specifically to the requesting user. If it finds such a grant, it uses that information. It then checks to see if less restrictive privileges have been granted to public. If so, the database server uses the less-restrictive privileges. If no grant has been made to that user, the database server looks for privileges granted to public. If it finds a relevant privilege, it uses that one. Thus, to set a minimum level of privilege for all users, grant privileges to public. You can override that, in specific cases, by granting higher individual privileges to users. Resource Privilege The Resource privilege carries the same authorization as the Connect privilege. In addition, users with the Resource privilege can create new, permanent tables, data types (opaque, distinct, complex), indexes, and stored routines, thus permanently allocating disk space. Database Administrator Privilege The highest level of database privilege is Database Administrator, or DBA. When you create a database, you are automatically the DBA. Holders of the DBA privilege can perform the following functions:
C
R
D
Figure 11-1 List of Encoded Privileges
A hyphen means an ungranted privilege, so that a grant of all privileges is shown as su-idxar, and -u------ shows a grant of only Update. The code letters are normally lowercase, but they are uppercase when the keywords WITH GRANT OPTION are used in the GRANT statement. When an asterisk (*) appears in the third position, some column-level privilege exists for that table and grantee. The specific privilege is recorded in syscolauth. Its primary key is a composite of the table number, the grantor, the grantee, and the column number. The only attribute is a three-letter list that shows the type of privilege: s, u, or r. Index, Alter, and References Privileges The Index privilege permits its holder to create and alter indexes on the table. The Index privilege, similar to the Select, Insert, Update, and Delete privileges, is granted automatically to public when a table is created. You can grant the Index privilege to anyone, but to exercise the ability, the user must also hold the Resource database privilege. So, although the Index privilege is granted automatically (except in ANSI-compliant databases), users who have only the Connect privilege to the database cannot exercise their Index privilege. Such a limitation is reasonable because an index can fill a large amount of disk space. The Alter privilege permits its holder to use the ALTER TABLE statement on the table, including the power to add and drop columns, reset the starting point for SERIAL columns, and so on. You should grant the Alter privilege only to users who understand the data model very well and whom you trust to exercise their power very carefully. The References privilege allows you to impose referential constraints on a table. As with the Alter privilege, you should grant the References privilege only to users who understand the data model very well. Column-Level Privileges You can qualify the Select, Update, and References privileges with the names of specific columns. Naming specific columns allows you to grant very specific access to a table. You can permit a user to see only certain columns, to update only certain columns, or to impose referential constraints on certain columns. You can limit privileges on certain columns so that only certain users can access the salary, performance review, or other sensitive information about an employee. To make the example specific, suppose a table of employee data is defined as the following example shows:
su-idxar
-u------
s
u
r
Automating Privileges This design might seem to force you to execute a tedious number of GRANT statements when you first set up the database. Furthermore, privileges require constant maintenance as people change jobs. For example, if a clerk in Human Resources is terminated, you should revoke the Update privilege as soon as possible; otherwise the unhappy employee might execute a statement such as the following one:
connect
delete
insert
public
select
DBA
execute
none
references
update
A role name must be different from existing role names in the database. A role name must also be different from user names that are known to the operating system, including network users known to the server computer. To make sure your role name is unique, check the names of the users in the shared memory structure who are currently using the database as well as the following system catalog tables: