User privileges are divided into direct and indirect privileges. Direct privileges are directly granted to a user. Indirect privileges are granted to the roles of a user. Most operations can be performed with direct or indirect privileges.
Obtain the privileges granted to roles
If you grant a role to a user or another role of the user, the user indirectly obtains the privileges of the granted role.
Notice
A user can always use privileges that are directly granted, but can only use indirect privileges of an active role in a session.
Prerequisites
To grant a role to a user or role, you must have the granted role and the ADMIN OPTION privilege. For more information about how to view your privileges, see View user privileges.
Background information
Assume that a user named test1 has been granted the employee role. You can execute the following statement to view the privileges granted to the employee role:
obclient [oceanbase]> SHOW GRANTS FOR employee;
The return result is as follows:
+--------------------------------------------------+
| Grants for employee@% |
+--------------------------------------------------+
| GRANT USAGE ON *.* TO 'employee' |
| GRANT UPDATE, SELECT ON `dbtest`.* TO 'employee' |
+--------------------------------------------------+
2 rows in set
Assume that you have the developer role. You can execute the following statement to view the privileges of the developer role:
obclient [oceanbase]> SHOW GRANTS FOR developer;
The return result is as follows:
+------------------------------------------+
| Grants for developer@% |
+------------------------------------------+
| GRANT ALTER SYSTEM ON *.* TO 'developer' |
+------------------------------------------+
1 row in set
Examples
If you want to grant all operation privileges of the developer role to the test1 user, perform the following steps:
Grant the required role to the user
Grant the
developerrole to thetest1user.obclient [oceanbase]> GRANT developer TO test1;If you want to use the
test1user to grant the role to another user, add theWITH ADMIN OPTIONclause.obclient [oceanbase]> GRANT developer TO test1 WITH ADMIN OPTION;Use the
SHOW GRANTS ... USINGstatement to view the privileges obtained by thetest1user from thedeveloperrole.obclient [oceanbase]> SHOW GRANTS FOR test1 USING developer;The return result is as follows:
+-----------------------------------------------------+ | Grants for test1@% | +-----------------------------------------------------+ | GRANT ALTER SYSTEM ON *.* TO 'test1' | | GRANT `developer`@`%`,`employee`@`%` TO `test1`@`%` | +-----------------------------------------------------+ 2 rows in set
Grant the required role to another role
Grant the
developerrole to theemployeerole.obclient [oceanbase]> GRANT developer TO employee;Use the
SHOW GRANTS ... USINGstatement to view the privileges obtained by thetest1user from theemployeerole.obclient [oceanbase]> SHOW GRANTS FOR test1 USING employee;The return result is as follows:
+-----------------------------------------------+ | Grants for test1@% | +-----------------------------------------------+ | GRANT ALTER SYSTEM ON *.* TO 'test1' | | GRANT UPDATE, SELECT ON `dbtest`.* TO 'test1' | | GRANT `employee`@`%` TO `test1`@`%` | +-----------------------------------------------+ 3 rows in setThe result indicates that the
test1user obtained theALTER SYSTEMprivilege from theemployeerole. Then, execute the following statement to view the roles or privileges granted to theemployeerole:obclient [(none)]> SHOW GRANTS FOR employee;The result is as follows and it indicates that the
ALTER SYSTEMprivilege is granted from thedeveloperrole.+--------------------------------------------------+ | Grants for employee@% | +--------------------------------------------------+ | GRANT USAGE ON *.* TO 'employee' | | GRANT UPDATE, SELECT ON `dbtest`.* TO 'employee' | | GRANT `developer`@`%` TO `employee`@`%` | +--------------------------------------------------+ 3 rows in set
References
For more information about role-related operations, see Manage roles.