Structured Query Language/Managing Rights

Privileges are actions that users can perform. The SQL standard supports only a limited list of privileges, whereas real implementations offer a great bunch of different privileges. The list consists of: SELECT, INSERT, UPDATE, DELETE, CREATE <object_type>, DROP <object_type>, EXECUTE, ... .

The list of object types, to which privileges may be granted, is short in the SQL standard and long for real implementations. It consists of tables, views, indexes, sequences, triggers, procedures, ... .

If there is a great number of users connecting to the DBMS, it is helpful to group users with identical rights to a role and grant privileges not to the individual users but the role. To do so, the role must be created by a CREATE ROLE statement. Afterward, users are joined with this role.

-- Create a role
-- (MySQL supports only predefined roles with special semantics).
CREATE ROLE department_human_resources;

-- Enrich the role with rights
GRANT  SELECT, INSERT, UPDATE, DELETE ON person        TO department_human_resources;
GRANT  SELECT, INSERT                 ON hobby         TO department_human_resources;
GRANT  SELECT, INSERT, UPDATE, DELETE ON person_hobby  TO department_human_resources;

-- Join users with the role
GRANT  department_human_resources TO user_1;
GRANT  department_human_resources TO user_2;

Instead of individual usernames, the keyword PUBLIC denotes all known users.

-- Everybody shall be allowed to read the rows of the 'person' table.
GRANT SELECT ON person TO PUBLIC;

If a DBA wants to delegate the managing of rights to special users, he can grant privileges to them and extend the statement with the phrase 'WITH GRANT OPTION'. This enables the users to grant the received privileges to any other user.

-- User 'hibernate' gets the right to pass the SELECT privilege on table 'person' to any other user.
GRANT SELECT ON person TO hibernate WITH GRANT OPTION;