User privileges are divided into direct and indirect privileges. Direct privileges are the system or object privileges that are granted to a user. Indirect privileges are those that are granted to roles of a user. Most operations can be performed with direct or indirect privileges. However, there are certain operations where direct privileges are required. These operations include:
- When creating a view, the user needs permission to access objects in a view.
- Permissions required to execute statements in a named PL block with the definers' rights.
Indirect privileges granted to roles
Prerequisites
When granting system or object privileges or roles to a role, the current user must have the privileges or roles to be granted and have any of the following privileges: GRANT OPTION, GRANT ANY OBJECT PRIVILEGE, GRANT ANY PRIVILEGE, and GRANT ANY ROLE.
For more information about how to view privileges, see View user privileges. If the user does not have the required privileges, contact an administrator. For more information about how to modify privileges, see Modify user privileges. For more information about how to view the roles that a user has, see View roles.
Examples
Grant the SELECT privilege on the test1.tbl1 table to the role1 role:
obclient> GRANT SELECT ON test1.tbl1 TO role1;
Query OK, 0 rows affected
In addition, you can add a privilege to the PUBLIC role using the following SQL statement:
Warning:
To ensure database security, only grant a privilege to this role when it is necessary.
obclient> GRANT [privilege_list] TO PUBLIC;
If you grant a privilege to the PUBLIC role, all users in the tenant have that privilege. This means that all users can immediately perform operations authorized by the privilege. For more information about the PUBLIC role, see Overview.
For more information about the GRANT statement, see GRANT.