vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/dws/dev/dws_04_0054.html
Lu, Huayi ef0ada5a59 DWS DEV 20240716 version 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Co-authored-by: Lu, Huayi <luhuayi@huawei.com>
Co-committed-by: Lu, Huayi <luhuayi@huawei.com>
2024-11-02 09:07:47 +00:00

92 lines
28 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0000001531021169"></a><a name="EN-US_TOPIC_0000001531021169"></a>
<h1 class="topictitle1">Permissions Management</h1>
<div id="body8662426"><div class="section" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_section8563415142017"><h4 class="sectiontitle">Permission Overview</h4><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p558215264394"><strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b6813193733114">Permissions</strong> are used to control whether a user is allowed to access a database object (including schemas, tables, functions, and sequences) to perform operations such as adding, deleting, modifying, querying, and creating a database object.</p>
<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p1828011289417">Permission management in GaussDB(DWS) falls into three categories:</p>
<ul id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_ul64171044132518"><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li18417114442513">System permissions<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_aa9331f78835c4effb59ae7315462f8ea"><a name="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li18417114442513"></a><a name="en-us_topic_0000001188323582_li18417114442513"></a>System permissions are also called user attributes, including <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b189302707011452">SYSADMIN</strong>, <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b36781261111452">CREATEDB</strong>, <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b132633487611452">CREATEROLE</strong>, <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b22355050811452">AUDITADMIN</strong>, and <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b146348538011452">LOGIN</strong>.</p>
<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_ac511275173b146c7a3d5c1117cda40fb">They can be specified only by the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b90868937911452">CREATE ROLE</strong> or <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b103038887711452">ALTER ROLE</strong> syntax. The <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b150045422911452">SYSADMIN</strong> permission can be granted and revoked using <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b174903650611452">GRANT ALL PRIVILEGE</strong> and <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b3313159811452">REVOKE ALL PRIVILEGE</strong>, respectively. System permissions cannot be inherited by a user from a role, and cannot be granted using <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b175146477411452">PUBLIC</strong>.</p>
</li></ul>
<ul id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_ul1391012488251"><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li391094882516">Object permissions<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p224352616259"><a name="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li391094882516"></a><a name="en-us_topic_0000001188323582_li391094882516"></a>Permissions on a database object (table, view, column, database, function, schema, or tablespace) can be granted to a role or user. The <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b40240465111452">GRANT</strong> command can be used to grant permissions to a user or role. These permissions granted are added to the existing ones.</p>
</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li98127462258">Permissions<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_a491f58fdf9724a56b29f11cbd156ae08"><a name="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li98127462258"></a><a name="en-us_topic_0000001188323582_li98127462258"></a>Grant a role's or user's permissions to one or more roles or users. In this case, every role or user can be regarded as a set of one or more database permissions.</p>
<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_abfac7b4c22ac4671b866b61c633faa8f">If <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b121349498811452">WITH ADMIN OPTION</strong> is specified, the member can in turn grant permissions in the role to others, and revoke permissions in the role as well. If a role or user granted with certain permissions is changed or revoked, the permissions inherited from the role or user also change.</p>
<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_aa7f9eff33e96410b9828534c5949b984">A database administrator can grant permissions to and revoke them from any role or user. Roles having <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b26785177911452">CREATEROLE</strong> permission can grant or revoke membership in any role that is not an administrator.</p>
</li></ul>
</div>
<div class="section" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_section21073283249"><h4 class="sectiontitle">Hierarchical Permission Management</h4><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p19650134114265">GaussDB(DWS) implements a hierarchical permission management on databases, schemas, and data objects.</p>
<ul id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_ul1783019211233"><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li16830121732">Databases cannot communicate with each other and share very few resources. Their connections and permissions can be isolated. The database cluster has one or more named databases. Users and roles are shared within the entire cluster, but their data is not shared. That is, a user can connect to any database, but after the connection is successful, any user can access only the database declared in the connection request.</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li683002120316">Schemas share more resources than databases do. User permissions on schemas and subordinate objects can be flexibly configured using the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b43506685911452">GRANT</strong> and <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b76023925111452">REVOKE</strong> syntax. Each database has one or more schemas. Each schema contains various types of objects, such as tables, views, and functions. To access an object contained in a specified schema, a user must have the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b98525806123017">USAGE </strong>permission on the schema.</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li9214171011443">After an object is created, by default, only the object owner or system administrator can query, modify, and delete the object. To access a specific database object, for example, <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b212517723614">table1</strong>, other users must be granted the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b1120915118365">CONNECT </strong>permission of database, the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b1436411149368">USAGE </strong>permission of schema, and the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b19522201923611">SELECT </strong>permission of <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b4522122110369">table1</strong>. To access an object at the bottom layer, a user must be granted the permission on the object at the upper layer. To create or delete a schema, you must have the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b79324495811452">CREATE</strong> permission on its database.</li></ul>
<div class="fignone" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_fig1881004519237"><span class="figcap"><b>Figure 1 </b>Hierarchical Permission Management</span><br><span><img id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_image19811745162313" src="figure/en-us_image_0000001526705437.png" width="NaN" height="NaN"></span></div>
</div>
<div class="section" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_section764344122017"><h4 class="sectiontitle">Roles</h4><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p594492172313">The permission management model of GaussDB(DWS) is a typical implementation of the role-based permission control (RBAC). It manages users, roles, and permissions through this model.</p>
<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p18997124010386">A role is a set of permissions.</p>
<ul id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_ul1069211115236"><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li14692171112239">The concept of "user" is equivalent to that of "role". The only difference is that "user" has the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b179722174382">login </strong>permission while "role" has the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b25263205380">nologin </strong>permission.</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li56921211152318">Roles are assigned with different permissions based on their responsibilities in the database system. A role is a set of database permissions and represents the behavior constraints of a database user or a group of data users.</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li1169271112236">Roles and users can be converted. You can use <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b94823194391">ALTER </strong>to assign the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b202096210394">login </strong>permission to a role.</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li196925116231">After a role is granted to a user through <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b167044716011452">GRANT</strong>, the user will have all the permissions of the role. It is recommended that roles be used to efficiently grant permissions. For example, you can create different roles of design, development, and maintenance personnel, grant the roles to users, and then grant specific data permissions required by different users. When permissions are granted or revoked at the role level, these permission changes take effect for all the members of the role.</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li2537471961">In non-separation-of-duty scenarios, a role can be created, modified, and deleted only by a system administrator or a user with the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b40108962911452">CREATEROLE</strong> attribute. In separation-of-duty scenarios, a role can be created, modified, and deleted only by a user with the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b102587796011452">CREATEROLE</strong> attribute.</li></ul>
<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_af29398cff1464bd1ba13906817e39c79">To view all roles, query the system catalog <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b86742016411452">PG_ROLES</strong>.</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_sd4f5e25ffae840afadfe668712024ec2"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">PG_ROLES</span><span class="p">;</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p75512171567">For how to create, modify, and delete a role, see "CREARE ROLE/ALTER ROLE/DROP ROLE" in <em id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_i148251911405">SQL Syntax Reference</em>.</p>
</div>
<div class="section" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_section1347652012418"><h4 class="sectiontitle">Preset Roles</h4><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p1766772684413"><span id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_text139660670611452">GaussDB(DWS)</span> provides a group of preset roles. Their names start with <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b115378953011452">gs_role_</strong>. These roles allow access to operations that require high permissions. You can grant these roles to other users or roles in the database for them to access or use specific information and functions. Exercise caution and ensure security when using preset roles.</p>
<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p13459145614515">The following table describes the permissions of preset roles.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_table4661394449" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Permissions of preset roles</caption><thead align="left"><tr id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_row13674391449"><th align="left" class="cellrowborder" valign="top" width="25%" id="mcps1.3.4.4.2.3.1.1"><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p468133913446">Role</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="75%" id="mcps1.3.4.4.2.3.1.2"><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p116843910441">Permission</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_row176814394444"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.4.2.3.1.1 "><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p1268113954415">gs_role_signal_backend</p>
</td>
<td class="cellrowborder" valign="top" width="75%" headers="mcps1.3.4.4.2.3.1.2 "><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p06823917443">Invokes functions such as <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b121318786811452">pg_cancel_backend</strong>, <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b85122045011452">pg_terminate_backend</strong>, <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b65211112811452">pg_terminate_query</strong>, <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b30098076711452">pg_cancel_query</strong>, <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b66596661811452">pgxc_terminate_query</strong>, and <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b190239757711452">pgxc_cancel_query</strong> to cancel or terminate sessions, excluding those of the initial users.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_row1681139104412"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.4.2.3.1.1 "><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p1968103917444">gs_role_read_all_stats</p>
</td>
<td class="cellrowborder" valign="top" width="75%" headers="mcps1.3.4.4.2.3.1.2 "><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p871582612481">Reads the system status view and uses various extension-related statistics, including information that is usually visible only to system administrators. For example:</p>
<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p118732471465">Resource management views:</p>
<ul id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_ul64973711476"><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li1576714100472">pgxc_wlm_operator_history</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li1850121284713">pgxc_wlm_operator_info</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li473931434717">pgxc_wlm_operator_statistics</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li9571116134717">pgxc_wlm_session_info</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li1038902017476">pgxc_wlm_session_statistics</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li1989321154714">pgxc_wlm_workload_records</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li7541112454719">pgxc_workload_sql_count</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li1840562654720">pgxc_workload_sql_elapse_time</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li79491432174820">pgxc_workload_transaction</li></ul>
<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p7914114164817">Status information views:</p>
<ul id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_ul4962184114483"><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li59608417487">pgxc_stat_activity</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li1871864604813">pgxc_get_table_skewness</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li8676548154819">table_distribution</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li893495011483">pgxc_total_memory_detail</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li1696274134817">pgxc_os_run_info</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li20962184111489">pg_nodes_memory</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li8962941154811">pgxc_instance_time</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li16962164154810">pgxc_redo_stat</li></ul>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_row193591543331"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.4.2.3.1.1 "><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p63601443439">gs_role_analyze_any</p>
</td>
<td class="cellrowborder" valign="top" width="75%" headers="mcps1.3.4.4.2.3.1.2 "><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p191891611544">A user with the system-level <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b48683385211452">ANALYZE</strong> permission can skip the schema permission check and perform <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b32208375011452">ANALYZE</strong> on all tables.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_row5476048738"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.4.2.3.1.1 "><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p124761648039">gs_role_vacuum_any</p>
</td>
<td class="cellrowborder" valign="top" width="75%" headers="mcps1.3.4.4.2.3.1.2 "><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p11189211548">A user with the system-level <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b177375898711452">VACUUM</strong> permission can skip the schema permission check and perform <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b16700219011452">ANALYZE</strong> on all tables.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p540455112135"><strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b3614914175813">Restrictions on using preset roles:</strong></p>
<ul id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_ul1404155141318"><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li740455181317"><strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b195015343711452">gs_role_</strong> is the name field dedicated to preset roles in the database. Do not create users or roles starting with <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b16509430011452">gs_role_</strong> or rename existing users or roles starting with <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b36505684011452">gs_role_</strong>.</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li20404205111311">Do not perform <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b107550735011452">ALTER </strong>or <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b98811575411452">DROP </strong>operations on preset roles.</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li14041951141312">By default, a preset role does not have the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b139146473711452">LOGIN </strong>permission, so there is no preset login password for the role.</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li14405165118134">The gsql meta-commands <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b159284703411452">\du</strong> and <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b205489844811452">\dg</strong> do not display information about preset roles. However, if <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b206473951711452">PATTERN </strong>is specified, information about preset roles will be displayed.</li><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li11405145119133">If the separation of permissions is disabled, the system administrator and users with the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b166006394211452">ADMIN OPTION</strong> permission of preset roles are allowed to perform GRANT and REVOKE operations on preset roles. If the separation of permissions is enabled, the security administrator (with the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b204028199411452">CREATEROLE </strong>attribute) and users with the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b157204735711452">ADMIN OPTION</strong> permission of preset roles are allowed to perform GRANT and REVOKE operations on preset roles. Example:<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_screen946512153142"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">GRANT</span><span class="w"> </span><span class="n">gs_role_signal_backend</span><span class="w"> </span><span class="k">TO</span><span class="w"> </span><span class="n">user1</span><span class="p">;</span><span class="w"> </span>
<span class="k">REVOKE</span><span class="w"> </span><span class="n">gs_role_signal_backend</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">user1</span><span class="p">;</span>
</pre></div></td></tr></table></div>
</div>
</li></ul>
</div>
<div class="section" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_section15972183943314"><h4 class="sectiontitle">Granting or Revoking Permissions</h4><p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p341575218368">A user who creates an object is the owner of this object. By default, <a href="dws_04_0056.html#EN-US_TOPIC_0000001480501210">Separation of Permissions</a> is disabled after cluster installation. A database system administrator has the same permissions as object owners.</p>
<p id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p101295419267">After an object is created, only the object owner or system administrator can query, modify, and delete the object, and grant permissions for the object to other users through <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b114404277011452">GRANT</strong> by default. To enable a user to use an object, the object owner or administrator can run the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b828810525440">GRANT </strong>or <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b1349075494418">REVOKE </strong>command to grant permissions to or revoke permissions from the user or role.</p>
<ul id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_ul27611731229"><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li117615317217">Run the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b270611249451">GRANT </strong>statement to grant permissions.<div class="p" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p13981243143818">For example, grant the permission of schema <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b647710141549">myschema </strong>to role <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b16871716105414">u1</strong>, and grant the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b166051719105419">SELECT </strong>permission of table <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b1533722611546">myschema.t1</strong> to role <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b86862916548">u1</strong>.<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_sfd7c911cc86147dcadd1c3f050bf3903"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">GRANT</span><span class="w"> </span><span class="k">USAGE</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="k">SCHEMA</span><span class="w"> </span><span class="n">myschema</span><span class="w"> </span><span class="k">TO</span><span class="w"> </span><span class="n">u1</span><span class="p">;</span>
<span class="k">GRANT</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="n">myschema</span><span class="p">.</span><span class="n">t1</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">u1</span><span class="p">;</span>
</pre></div></td></tr></table></div>
</div>
</div>
</li></ul>
<ul id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_u4d00d0b1312f4bfd98f628d76c4c33a3"><li id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_li19740801212">Run the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b189491218577">REVOKE </strong>command to revoke a permission that has been granted.<div class="p" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_p994041129">For example, revoke all permissions of user <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b1879793419452">u1 </strong>on the <strong id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_b145831937154516">myschema.t1</strong> table.<pre class="screen" id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_screen117241079509">REVOKE ALL PRIVILEGES ON <em id="EN-US_TOPIC_0000001531021169__en-us_topic_0000001188323582_i137292775015">myschema.t1</em> FROM u1; </pre>
</div>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dws_04_0053.html">Managing Users and Their Permissions</a></div>
</div>
</div>
View Git Blame Copy Permalink