Assigning Roles
Assigning a role is similar to granting a privilege.One or more roles can be assigned to one or more users, including the user PUBLIC, using one GRANT statement.
%22%20gradientUnits%3D%22userSpaceOnUse%22%3E%3Cstop%20stop-color%3D%22%23fd0a02%22%20offset%3D%220%22%2F%3E%3Cstop%20stop-color%3D%22%23fd3703%22%20offset%3D%22.27%22%2F%3E%3Cstop%20stop-color%3D%22%23fffb17%22%20offset%3D%221%22%2F%3E%3C%2FlinearGradient%3E%3CradialGradient%20id%3D%22IDa%22%20cx%3D%22226.87%22%20cy%3D%22227.78%22%20r%3D%22226.77%22%20gradientTransform%3D%22matrix(1%200%200%20.99928%204.5%20.16398)%22%20gradientUnits%3D%22userSpaceOnUse%22%20spreadMethod%3D%22reflect%22%3E%3Cstop%20stop-color%3D%22%23fffb17%22%20offset%3D%22-99%22%2F%3E%3Cstop%20stop-color%3D%22%23fd3703%22%20style%3D%22stop-color%3A%23d6d6d6%3Bstop-opacity%3A.80992%22%20offset%3D%22-25.96%22%2F%3E%3Cstop%20stop-color%3D%22%23fd0a02%22%20style%3D%22stop-color%3A%23640401%22%20offset%3D%221%22%2F%3E%3C%2FradialGradient%3E%3Cfilter%20id%3D%22IDc%22%20x%3D%22-.073393%22%20y%3D%22-.073446%22%20width%3D%221.1468%22%20height%3D%221.1469%22%20style%3D%22color-interpolation-filters%3AsRGB%22%3E%3CfeGaussianBlur%20stdDeviation%3D%2213.661255%22%2F%3E%3C%2Ffilter%3E%3C%2Fdefs%3E%3Cg%20transform%3D%22translate(28.187%2031.614)%22%3E%3Cpath%20d%3D%22m144.36%20418.24c-31.519-36.408-42.174-117.36-35.104-140.33%209.9544-32.345%2021.049-46.054%2052.91-61.14%2012.171-5.7629%2030.369-9.7087%2040.618-16.999%209.6275-6.8485%2011.103-20.882%200.3031-30.555-11.374-10.186-25.905-6.8539-44.714-1.9463-0.8293%200.2163-2.2371%201.2415-2.4517%202.0893-0.5764%202.2763%200.3517%204.8404%201.55%207.9654-13.009-4.9358-26.833-14.752-28.839-21.314-6.3773-20.865%2017.573-38.445%2048.266-37.644-3.4102-17.273-3.4635-26.602%2018.537-25.134%2032.366%202.1593%2053.818%2013.086%2085.84%2021.325%202.5911%200.6668%2015.302%204.2674%2017.351%202.4455%201.3911-1.2363%202.2548-6.8008%204.1746-11.352%201.7884%205.7771%203.6412%2013.171%201.3306%2018.928-3.601%208.9701-42.338%200.4436-49.836-0.4936-1.4719%202.0873-0.7547%206.4248%201.0548%206.9152%2021.778%205.9031%2040.947%2025.511%2046.258%2034.455%208.8055%2014.832%2010.521%2029.513%207.7741%2042.707-2.5105%2012.06-21.178%2036.296-31.757%2050.233-13.891%2018.301-22.03%2028.984-9.0675%2043.421%206.6796%207.4391%2040.824%2010.557%2075.278-3.6384%2030.204-12.444%2075.735-59.108%2075.527-110.4-0.4087-100.65-83.111-169.04-176.17-181.35-4.1817-0.6355-4.2058-5.2511-0.0238-5.2514%2085.729-8e-3%20214.98%2078.833%20214.98%20226.49%202e-4%20127-105.71%20226.72-223.18%20226.72-46.871%200-69.584-11.872-90.603-36.151zm-139.76-190.62c0-147.17%20129.41-226.45%20214.98-226.45%204.2192%200%204.2282%204.6119%209e-3%205.2304-94.354%2010.94-163.61%2072.376-180.2%20163.11-13.135%2071.848%2014.501%20141.16%2066.086%20182.98%206.8172%2036.501%2027.251%2073.534%2052.047%2089.504-97.014-32.749-152.92-124.89-152.92-214.38zm189.2-109.32c-1.0982-0.0895-5.4887-5.9834-1.2128-6.6405%2010.982-1.6874%2021.989%202.9859%2027.148%206.8763%200.9582%200.7226%200.4686%203.0838-0.2361%202.9402-5.5378-1.1299-24.15-3.05-25.699-3.176z%22%20style%3D%22fill-rule%3Aevenodd%3Bfill%3Aurl(%23IDa)%3Bfilter%3Aurl(%23IDc)%3Bmix-blend-mode%3Anormal%3Bopacity%3A.61733%3Bstroke-width%3A.99975%3Bstroke%3A%23000000%22%2F%3E%3Cpath%20d%3D%22m139.76%20417.07c-31.519-36.408-42.174-117.36-35.104-140.33%209.9544-32.345%2021.049-46.054%2052.91-61.14%2012.171-5.7629%2030.369-9.7087%2040.618-16.999%209.6275-6.8485%2011.103-20.882%200.3031-30.555-11.374-10.186-25.905-6.8539-44.714-1.9463-0.8293%200.2163-2.2371%201.2415-2.4517%202.0893-0.5764%202.2763%200.3517%204.8404%201.55%207.9654-13.009-4.9358-26.833-14.752-28.839-21.314-6.3773-20.865%2017.573-38.445%2048.266-37.644-3.4102-17.273-3.4635-26.602%2018.537-25.134%2032.366%202.1593%2053.818%2013.086%2085.84%2021.325%202.5911%200.6668%2015.302%204.2674%2017.351%202.4455%201.3911-1.2363%202.2548-6.8008%204.1746-11.352%201.7884%205.7771%203.6412%2013.171%201.3306%2018.928-3.601%208.9701-42.338%200.4436-49.836-0.4936-1.4719%202.0873-0.7547%206.4248%201.0548%206.9152%2021.778%205.9031%2040.947%2025.511%2046.258%2034.455%208.8055%2014.832%2010.521%2029.513%207.7741%2042.707-2.5105%2012.06-21.178%2036.296-31.757%2050.233-13.891%2018.301-22.03%2028.984-9.0675%2043.421%206.6796%207.4391%2040.824%2010.557%2075.278-3.6384%2030.204-12.444%2075.735-59.108%2075.527-110.4-0.4087-100.65-83.111-169.04-176.17-181.35-4.1817-0.6355-4.2058-5.2511-0.0238-5.2514%2085.729-8e-3%20214.98%2078.833%20214.98%20226.49%202e-4%20127-105.71%20226.72-223.18%20226.72-46.871%200-69.584-11.872-90.603-36.151zm-139.76-190.62c0-147.17%20129.41-226.45%20214.98-226.45%204.2192%200%204.2282%204.6119%209e-3%205.2304-94.354%2010.94-163.61%2072.376-180.2%20163.11-13.135%2071.848%2014.501%20141.16%2066.086%20182.98%206.8172%2036.501%2027.251%2073.534%2052.047%2089.504-97.014-32.749-152.92-124.89-152.92-214.38zm189.2-109.32c-1.0982-0.0895-5.4887-5.9834-1.2128-6.6405%2010.982-1.6874%2021.989%202.9859%2027.148%206.8763%200.9582%200.7226%200.4686%203.0838-0.2361%202.9402-5.5378-1.1299-24.15-3.05-25.699-3.176z%22%20style%3D%22fill-rule%3Aevenodd%3Bfill%3Aurl(%23IDb)%3Bstroke-width%3A.32475%3Bstroke%3A%23909090%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E%0A){kind=small}
- Anglaiskeyboard_arrow_down
- languageFrançais
- languageРусский
- languageDeutsch
The WITH ADMIN OPTION Clause
The optional WITH ADMIN OPTION clause allows the users specified in the user list to grant the role(s) specified to other users or roles.
|
Caution
|
It is possible to assign this option to |
For cumulative roles, a user can only exercise the WITH ADMIN OPTION of a secondary role if all intermediate roles are also granted WITH ADMIN OPTION.That is, GRANT ROLEA TO ROLE ROLEB WITH ADMIN OPTION, GRANT ROLEB TO ROLE ROLEC, GRANT ROLEC TO USER USER1 WITH ADMIN OPTION only allows USER1 to grant ROLEC to other users or roles, while using GRANT ROLEB TO ROLE ROLEC WITH ADMIN OPTION allows USER1 to grant ROLEA, ROLEB and ROLEC to other users.
Examples of Role Assignment
-
Assigning the
DIRECTORandMANAGERroles to the userIVAN:GRANT DIRECTOR, MANAGER TO USER IVAN; -
Assigning the
MANAGERrole to the userALEXwith the authority to assign this role to other users:GRANT MANAGER TO USER ALEX WITH ADMIN OPTION; -
Assigning the
DIRECTORrole to userALEXas a default role:GRANT DEFAULT DIRECTOR TO USER ALEX; -
Assigning the
MANAGERrole to roleDIRECTOR:GRANT MANAGER TO ROLE DIRECTOR;
See also
The WITH GRANT OPTION Clause
The optional WITH GRANT OPTION clause allows the users specified in the user list to grant the privileges specified in the privilege list to other users.
|
Caution
|
It is possible to assign this option to the user |
The GRANTED BY Clause
By default, when privileges are granted in a database, the current user is recorded as the grantor.The GRANTED BY clause enables the current user to grant those privileges as another user.
When using the REVOKE statement, it will fail if the current user is not the user that was named in the GRANTED BY clause.
The GRANTED BY (and AS) clause can be used only by the database owner and other administrators.The object owner cannot use GRANTED BY unless they also have administrator privileges.
Alternative Syntax Using AS username
The non-standard AS clause is supported as a synonym of the GRANTED BY clause to simplify migration from other database systems.
Privileges on Tables and Views
For tables and views, unlike other metadata objects, it is possible to grant several privileges at once.
List of Privileges on Tables
SELECT-
Permits the user or object to
SELECTdata from the table or view INSERT-
Permits the user or object to
INSERTrows into the table or view DELETE-
Permits the user or object to
DELETErows from the table or view UPDATE-
Permits the user or object to
UPDATErows in the table or view, optionally restricted to specific columns REFERENCES-
Permits the user or object to reference the table via a foreign key, optionally restricted to the specified columns.If the primary or unique key referenced by the foreign key of the other table is composite then all columns of the key must be specified.
ALL [PRIVILEGES]-
Combines
SELECT,INSERT,UPDATE,DELETEandREFERENCESprivileges in a single package
Examples of GRANT <privilege> on Tables
-
SELECTandINSERTprivileges to the userALEX:GRANT SELECT, INSERT ON TABLE SALES TO USER ALEX; -
The
SELECTprivilege to theMANAGER,ENGINEERroles and to the userIVAN:GRANT SELECT ON TABLE CUSTOMER TO ROLE MANAGER, ROLE ENGINEER, USER IVAN; -
All privileges to the
ADMINISTRATORrole, together with the authority to grant the same privileges to others:GRANT ALL ON TABLE CUSTOMER TO ROLE ADMINISTRATOR WITH GRANT OPTION; -
The
SELECTandREFERENCESprivileges on theNAMEcolumn to all users and objects:GRANT SELECT, REFERENCES (NAME) ON TABLE COUNTRY TO PUBLIC; -
The
SELECTprivilege being granted to the userIVANby the userALEX:GRANT SELECT ON TABLE EMPLOYEE TO USER IVAN GRANTED BY ALEX; -
Granting the
UPDATEprivilege on theFIRST_NAME,LAST_NAMEcolumns:GRANT UPDATE (FIRST_NAME, LAST_NAME) ON TABLE EMPLOYEE TO USER IVAN; -
Granting the
INSERTprivilege to the stored procedureADD_EMP_PROJ:GRANT INSERT ON EMPLOYEE_PROJECT TO PROCEDURE ADD_EMP_PROJ;
The EXECUTE Privilege
The EXECUTE privilege applies to stored procedures, stored functions (including UDFs), and packages.It allows the grantee to execute the specified object, and, if applicable, to retrieve its output.
In the case of selectable stored procedures, it acts somewhat like a SELECT privilege, insofar as this style of stored procedure is executed in response to a SELECT statement.
|
Note
|
For packages, the |
Examples of Granting the EXECUTE Privilege
-
Granting the
EXECUTEprivilege on a stored procedure to a role:GRANT EXECUTE ON PROCEDURE ADD_EMP_PROJ TO ROLE MANAGER; -
Granting the
EXECUTEprivilege on a stored function to a role:GRANT EXECUTE ON FUNCTION GET_BEGIN_DATE TO ROLE MANAGER; -
Granting the
EXECUTEprivilege on a package to userPUBLIC:GRANT EXECUTE ON PACKAGE APP_VAR TO USER PUBLIC; -
Granting the
EXECUTEprivilege on a function to a package:GRANT EXECUTE ON FUNCTION GET_BEGIN_DATE TO PACKAGE APP_VAR;
The USAGE Privilege
To be able to use metadata objects other than tables, views, stored procedures or functions, triggers and packages, it is necessary to grant the user (or database object like trigger, procedure or function) the USAGE privilege on these objects.
By default, Firebird executes PSQL modules with the privileges of the caller, so it is necessary that either the user or otherwise the routine itself has been granted the USAGE privilege.This can be changed with the SQL SECURITY clause of the DDL statements of those objects.
|
Note
|
The |
|
Note
|
For sequences (generators), the |
Examples of Granting the USAGE Privilege
-
Granting the
USAGEprivilege on a sequence to a role:GRANT USAGE ON SEQUENCE GEN_AGE TO ROLE MANAGER; -
Granting the
USAGEprivilege on a sequence to a trigger:GRANT USAGE ON SEQUENCE GEN_AGE TO TRIGGER TR_AGE_BI; -
Granting the
USAGEprivilege on an exception to a package:GRANT USAGE ON EXCEPTION TO PACKAGE PKG_BILL;
DDL Privileges
By default, only administrators can create new metadata objects.Altering or dropping these objects is restricted to the owner of the object (its creator) and administrators.DDL privileges can be used to grant privileges for these operations to other users.
Available DDL Privileges
CREATE-
Allows creation of an object of the specified type
ALTER ANY-
Allows modification of any object of the specified type
DROP ANY-
Allows deletion of any object of the specified type
ALL [PRIVILEGES]-
Combines the
CREATE,ALTER ANYandDROP ANYprivileges for the specified type
|
Note
|
There are no separate DDL privileges for triggers and indexes.The necessary privileges are inherited from the table or view.Creating, altering or dropping a trigger or index requires the |
Examples of Granting DDL Privileges
-
Allow user
JOEto create tablesGRANT CREATE TABLE TO USER Joe; -
Allow user
JOEto alter any procedureGRANT ALTER ANY PROCEDURE TO USER Joe;
Database DDL Privileges
The syntax for granting privileges to create, alter or drop a database deviates from the normal syntax of granting DDL privileges for other object types.
Available Database DDL Privileges
CREATE-
Allows creation of a database
ALTER-
Allows modification of the current database
DROP-
Allows deletion of the current database
ALL [PRIVILEGES]-
Combines the
ALTERandDROPprivileges.ALLdoes not include theCREATEprivilege.
The ALTER DATABASE and DROP DATABASE privileges apply only to the current database, whereas DDL privileges ALTER ANY and DROP ANY on other object types apply to all objects of the specified type in the current database.The privilege to alter or drop the current database can only be granted by administrators.
The CREATE DATABASE privilege is a special kind of privilege as it is saved in the security database.A list of users with the CREATE DATABASE privilege is available from the virtual table SEC$DB_CREATORS.Only administrators in the security database can grant the privilege to create a new database.
|
Note
|
|
Examples of Granting Database DDL Privileges
-
Granting
SUPERUSERthe privilege to create databases:GRANT CREATE DATABASE TO USER Superuser; -
Granting
JOEthe privilege to executeALTER DATABASEfor the current database:GRANT ALTER DATABASE TO USER Joe; -
Granting
FEDORthe privilege to drop the current database:GRANT DROP DATABASE TO USER Fedor;