aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/src/sgml/ddl.sgml62
-rw-r--r--doc/src/sgml/ref/grant.sgml6
2 files changed, 42 insertions, 26 deletions
diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index 71bb34d83ce..af87cabc0c9 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/ddl.sgml,v 1.28 2004/08/07 19:53:48 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/ddl.sgml,v 1.29 2004/08/07 20:44:49 tgl Exp $ -->
<chapter id="ddl">
<title>Data Definition</title>
@@ -1378,29 +1378,22 @@ ALTER TABLE products RENAME TO items;
When you create a database object, you become its owner. By
default, only the owner of an object can do anything with the
object. In order to allow other users to use it,
- <firstterm>privileges</firstterm> must be granted. (There are also
- users that have the superuser privilege. Those users can always
+ <firstterm>privileges</firstterm> must be granted. (However,
+ users that have the superuser attribute can always
access any object.)
</para>
- <note>
- <para>
- To change the owner of a table, index, sequence, or view, use the
- <xref linkend="sql-altertable" endterm="sql-altertable-title">
- command.
- </para>
- </note>
-
<para>
There are several different privileges: <literal>SELECT</>,
<literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>,
<literal>RULE</>, <literal>REFERENCES</>, <literal>TRIGGER</>,
<literal>CREATE</>, <literal>TEMPORARY</>, <literal>EXECUTE</>,
- <literal>USAGE</>, and <literal>ALL PRIVILEGES</>. For complete
+ and <literal>USAGE</>. The privileges applicable to a particular
+ object vary depending on the object's type (table, function, etc).
+ For complete
information on the different types of privileges supported by
<productname>PostgreSQL</productname>, refer to the
- <xref linkend="sql-grant" endterm="sql-grant-title">
- reference page. The following sections
+ <xref linkend="sql-grant"> reference page. The following sections
and chapters will also show you how those privileges are used.
</para>
@@ -1409,23 +1402,30 @@ ALTER TABLE products RENAME TO items;
the owner only.
</para>
+ <note>
+ <para>
+ To change the owner of a table, index, sequence, or view, use the
+ <xref linkend="sql-altertable"> command. There are corresponding
+ <literal>ALTER</> commands for other object types.
+ </para>
+ </note>
+
<para>
To assign privileges, the <command>GRANT</command> command is
- used. So, if <literal>joe</literal> is an existing user, and
+ used. For example, if <literal>joe</literal> is an existing user, and
<literal>accounts</literal> is an existing table, the privilege to
update the table can be granted with
<programlisting>
GRANT UPDATE ON accounts TO joe;
</programlisting>
- The user executing this command must be the owner of the table. To
- grant a privilege to a group, use
+ To grant a privilege to a group, use this syntax:
<programlisting>
GRANT SELECT ON accounts TO GROUP staff;
</programlisting>
The special <quote>user</quote> name <literal>PUBLIC</literal> can
be used to grant a privilege to every user on the system. Writing
- <literal>ALL</literal> in place of a specific privilege specifies that all
- privileges will be granted.
+ <literal>ALL</literal> in place of a specific privilege grants all
+ privileges that are relevant for the object type.
</para>
<para>
@@ -1434,13 +1434,24 @@ GRANT SELECT ON accounts TO GROUP staff;
<programlisting>
REVOKE ALL ON accounts FROM PUBLIC;
</programlisting>
- The special privileges of the table owner (i.e., the right to do
+ The special privileges of the object owner (i.e., the right to do
<command>DROP</>, <command>GRANT</>, <command>REVOKE</>, etc.)
are always implicit in being the owner,
- and cannot be granted or revoked. But the table owner can choose
+ and cannot be granted or revoked. But the object owner can choose
to revoke his own ordinary privileges, for example to make a
table read-only for himself as well as others.
</para>
+
+ <para>
+ Ordinarily, only the object's owner (or a superuser) can grant or revoke
+ privileges on an object. However, it is possible to grant a privilege
+ <quote>with grant option</>, which gives the recipient the right to
+ grant it in turn to others. If the grant option is subsequently revoked
+ then all who received the privilege from that recipient (directly or
+ through a chain of grants) will lose the privilege. For details see
+ the <xref linkend="sql-grant"> and <xref linkend="sql-revoke"> reference
+ pages.
+ </para>
</sect1>
<sect1 id="ddl-schemas">
@@ -1544,12 +1555,17 @@ CREATE SCHEMA myschema;
<synopsis>
<replaceable>schema</><literal>.</><replaceable>table</>
</synopsis>
+ (For brevity we will speak of tables only, but the same ideas apply
+ to other kinds of named objects, such as types and functions.)
+ </para>
+
+ <para>
Actually, the even more general syntax
<synopsis>
<replaceable>database</><literal>.</><replaceable>schema</><literal>.</><replaceable>table</>
</synopsis>
can be used too, but at present this is just for pro-forma compliance
- with the SQL standard; if you write a database name it must be the
+ with the SQL standard. If you write a database name, it must be the
same as the database you are connected to.
</para>
@@ -1862,7 +1878,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
privileges to allow the other users to access them. Users can
then refer to these additional objects by qualifying the names
with a schema name, or they can put the additional schemas into
- their path, as they choose.
+ their search path, as they choose.
</para>
</listitem>
</itemizedlist>
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index a6a2d4d994e..9ea480c57a3 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -1,5 +1,5 @@
<!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.41 2004/06/18 06:13:05 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.42 2004/08/07 20:44:50 tgl Exp $
PostgreSQL documentation
-->
@@ -52,8 +52,8 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
<para>
The <command>GRANT</command> command gives specific privileges on
- an object (table, view, sequence, database, function, procedural language,
- or schema) to
+ an object (table, view, sequence, database, tablespace, function,
+ procedural language, or schema) to
one or more users or groups of users. These privileges are added
to those already granted, if any.
</para>