When you create a database object, you become its owner. By
default, only the owner of an object can do anything with the
object. In order to allow other users to use it,
privileges must be granted. (There are also
users that have the superuser privilege. Those users can always
access any object.)
Note: To change the owner of a table, index, sequence, or view, use the
ALTER TABLE command.
There are several different privileges: SELECT,
INSERT, UPDATE, DELETE,
RULE, REFERENCES, TRIGGER,
CREATE, TEMPORARY, EXECUTE,
USAGE, and ALL PRIVILEGES. For complete
information on the different types of privileges supported by
PostgreSQL, refer to the
GRANT reference page. The following sections
and chapters will also show you how those privileges are used.
The right to modify or destroy an object is always the privilege of
the owner only.
To assign privileges, the GRANT command is
used. So, if joe is an existing user, and
accounts is an existing table, the privilege to
update the table can be granted with
GRANT UPDATE ON accounts TO joe;
The user executing this command must be the owner of the table. To
grant a privilege to a group, use
GRANT SELECT ON accounts TO GROUP staff;
The special "user" name PUBLIC can
be used to grant a privilege to every user on the system. Writing
ALL in place of a specific privilege specifies that all
privileges will be granted.
To revoke a privilege, use the fittingly named
REVOKE command:
REVOKE ALL ON accounts FROM PUBLIC;
The special privileges of the table owner (i.e., the right to do
DROP, GRANT, REVOKE, etc)
are always implicit in being the owner,
and cannot be granted or revoked. But the table owner can choose
to revoke his own ordinary privileges, for example to make a
table read-only for himself as well as others.
