11<!--
2- $Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.22 2002/04/21 00:26:42 tgl Exp $
2+ $Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.23 2002/04/22 19:17:40 tgl Exp $
33PostgreSQL documentation
44-->
55
@@ -157,11 +157,10 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
157157 <term>CREATE</term>
158158 <listitem>
159159 <para>
160- For databases, allows new schemas to be created in the database.
160+ For databases, allows new schemas to be created within the database.
161161 </para>
162162 <para>
163- For schemas, allows new objects to be created within the specified
164- schema.
163+ For schemas, allows new objects to be created within the schema.
165164 </para>
166165 </listitem>
167166 </varlistentry>
@@ -196,9 +195,9 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
196195 of privilege that is applicable to procedural languages.
197196 </para>
198197 <para>
199- For schemas, allows the use of objects contained in the specified
198+ For schemas, allows access to objects contained in the specified
200199 schema (assuming that the objects' own privilege requirements are
201- met). Essentially this allows the grantee to <quote>look up</>
200+ also met). Essentially this allows the grantee to <quote>look up</>
202201 objects within the schema.
203202 </para>
204203 </listitem>
@@ -226,6 +225,11 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
226225 <refsect1 id="SQL-GRANT-notes">
227226 <title>Notes</title>
228227
228+ <para>
229+ The <xref linkend="sql-revoke" endterm="sql-revoke-title"> command is used
230+ to revoke access privileges.
231+ </para>
232+
229233 <para>
230234 It should be noted that database <firstterm>superusers</> can access
231235 all objects regardless of object privilege settings. This
@@ -243,19 +247,19 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
243247
244248 <para>
245249 Use <xref linkend="app-psql">'s <command>\z</command> command
246- to obtain information about privileges
247- on existing objects:
250+ to obtain information about existing privileges, for example:
251+ <programlisting>
252+ lusitania=> \z mytable
253+ Access privileges for database "lusitania"
254+ Table | Access privileges
255+ ---------+---------------------------------------
256+ mytable | {=r,miriam=arwdRxt,"group todos=arw"}
257+ </programlisting>
258+ The entries shown by <command>\z</command> are interpreted thus:
248259<programlisting>
249- Database = lusitania
250- +------------------+---------------------------------------------+
251- | Relation | Grant/Revoke Permissions |
252- +------------------+---------------------------------------------+
253- | mytable | {"=rw","miriam=arwdRxt","group todos=rw"} |
254- +------------------+---------------------------------------------+
255- Legend:
256- uname=arwR -- privileges granted to a user
257- group gname=arwR -- privileges granted to a group
258- =arwR -- privileges granted to PUBLIC
260+ =xxxx -- privileges granted to PUBLIC
261+ uname=xxxx -- privileges granted to a user
262+ group gname=xxxx -- privileges granted to a group
259263
260264 r -- SELECT ("read")
261265 w -- UPDATE ("write")
@@ -269,12 +273,25 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
269273 C -- CREATE
270274 T -- TEMPORARY
271275 arwdRxt -- ALL PRIVILEGES (for tables)
276+ </programlisting>
277+
278+ The above example display would be seen by user <literal>miriam</> after
279+ creating table <literal>mytable</> and doing
280+
281+ <programlisting>
282+ GRANT SELECT ON mytable TO PUBLIC;
283+ GRANT SELECT,UPDATE,INSERT ON mytable TO GROUP todos;
272284</programlisting>
273285 </para>
274286
275287 <para>
276- The <xref linkend="sql-revoke" endterm="sql-revoke-title"> command is used to revoke access
277- privileges.
288+ If the <quote>Access privileges</> column is empty for a given object,
289+ it means the object has default privileges (that is, its privileges field
290+ is NULL). Currently, default privileges are interpreted the same way
291+ for all object types: all privileges for the owner and no privileges for
292+ anyone else. The first <command>GRANT</> on an object will instantiate
293+ this default (producing, for example, <literal>{=,miriam=arwdRxt}</>)
294+ and then modify it per the specified request.
278295 </para>
279296 </refsect1>
280297
0 commit comments