GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER }
[,...] | ALL [ PRIVILEGES ] }
ON [ TABLE ] tablename [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...]
GRANT { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
ON DATABASE dbname [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...]
GRANT { EXECUTE | ALL [ PRIVILEGES ] }
ON FUNCTION funcname ([type, ...]) [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...]
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON LANGUAGE langname [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...]
GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
ON SCHEMA schemaname [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...]
Description
The GRANT command gives specific permissions on
an object (table, view, sequence, database, function, procedural language,
or schema) to
one or more users or groups of users. These permissions are added
to those already granted, if any.
The key word PUBLIC indicates that the
privileges are to be granted to all users, including those that may
be created later. PUBLIC may be thought of as an
implicitly defined group that always includes all users.
Note that any particular user will have the sum
of privileges granted directly to him, privileges granted to any group he
is presently a member of, and privileges granted to
PUBLIC.
There is no need to grant privileges to the creator of an object,
as the creator has all privileges by default.
(The creator could, however, choose to revoke
some of his own privileges for safety.) Note that the ability to
grant and revoke privileges is inherent in the creator and cannot
be lost. The right to drop an object, or to alter it in any way
not described by a grantable right, is likewise inherent in the
creator, and cannot be granted or revoked.
Depending on the type of object, the initial default privileges may
include granting some privileges to PUBLIC.
The default is no public access for tables and schemas;
TEMP table creation privilege for databases;
EXECUTE privilege for functions; and
USAGE privilege for languages.
The object creator may of course revoke these privileges. (For maximum
security, issue the REVOKE in the same transaction that
creates the object; then there is no window in which another user
may use the object.)
The possible privileges are:
SELECT
Allows SELECT from any column of the
specified table, view, or sequence. Also allows the use of
COPY TO. For sequences, this
privilege also allows the use of the currval function.
INSERT
Allows INSERT of a new row into the
specified table. Also allows COPY FROM.
UPDATE
Allows UPDATE of any column of the
specified table. SELECT ... FOR UPDATE
also requires this privilege (besides the
SELECT privilege). For sequences, this
privilege allows the use of the nextval and
setval functions.
Allows the creation of a rule on the table/view. (See CREATE RULE statement.)
REFERENCES
To create a foreign key constraint, it is
necessary to have this privilege on both the referencing and
referenced tables.
TRIGGER
Allows the creation of a trigger on the specified table. (See
CREATE TRIGGER statement.)
CREATE
For databases, allows new schemas to be created within the database.
For schemas, allows new objects to be created within the schema.
To rename an existing object, you must own the object and
have this privilege for the containing schema.
TEMPORARY TEMP
Allows temporary tables to be created while using the database.
EXECUTE
Allows the use of the specified function and the use of any
operators that are implemented on top of the function. This is
the only type of privilege that is applicable to functions.
(This syntax works for aggregate functions, as well.)
USAGE
For procedural languages, allows the use of the specified language for
the creation of functions in that language. This is the only type
of privilege that is applicable to procedural languages.
For schemas, allows access to objects contained in the specified
schema (assuming that the objects' own privilege requirements are
also met). Essentially this allows the grantee to "look up"
objects within the schema.
ALL PRIVILEGES
Grant all of the privileges applicable to the object at once.
The PRIVILEGES key word is optional in
PostgreSQL, though it is required by
strict SQL.
The privileges required by other commands are listed on the
reference page of the respective command.
Notes
The REVOKE command is used
to revoke access privileges.
It should be noted that database superusers can access
all objects regardless of object privilege settings. This
is comparable to the rights of root in a Unix system.
As with root, it's unwise to operate as a superuser
except when absolutely necessary.
Currently, to grant privileges in PostgreSQL
to only a few columns, you must
create a view having the desired columns and then grant privileges
to that view.
Use psql's \dp command
to obtain information about existing privileges, for example:
=xxxx -- privileges granted to PUBLIC
uname=xxxx -- privileges granted to a user
group gname=xxxx -- privileges granted to a group
r -- SELECT ("read")
w -- UPDATE ("write")
a -- INSERT ("append")
d -- DELETE
R -- RULE
x -- REFERENCES
t -- TRIGGER
X -- EXECUTE
U -- USAGE
C -- CREATE
T -- TEMPORARY
arwdRxt -- ALL PRIVILEGES (for tables)
The above example display would be seen by user miriam after
creating table mytable and doing
GRANT SELECT ON mytable TO PUBLIC;
GRANT SELECT,UPDATE,INSERT ON mytable TO GROUP todos;
If the "Access privileges" column is empty for a given object,
it means the object has default privileges (that is, its privileges field
is NULL). Default privileges always include all privileges for the owner,
and may include some privileges for PUBLIC depending on the
object type, as explained above. The first GRANT or
REVOKE on an object
will instantiate the default privileges (producing, for example,
{=,miriam=arwdRxt}) and then modify them per the specified request.
Examples
Grant insert privilege to all users on table films:
GRANT INSERT ON films TO PUBLIC;
Grant all privileges to user manuel on view kinds:
GRANT ALL PRIVILEGES ON kinds TO manuel;
Compatibility
SQL92
The PRIVILEGES key word in ALL
PRIVILEGES is required. SQL does not
support setting the privileges on more than one table per command.
The SQL92 syntax for GRANT allows setting
privileges for individual columns within a table, and allows
setting a privilege to grant the same privileges to others:
GRANT privilege [, ...]
ON object [ ( column [, ...] ) ] [, ...]
TO { PUBLIC | username [, ...] } [ WITH GRANT OPTION ]
SQL allows to grant the USAGE privilege on
other kinds of objects: CHARACTER SET, COLLATION, TRANSLATION, DOMAIN.
The TRIGGER privilege was introduced in SQL99. The RULE privilege
is a PostgreSQL extension.
