Sedna LogoBackground Top
 
Home  |  Getting Started  |  Documentation  |  Demo  |  Download  |  Support 

3.3 Granting privileges

Privileges are granted to users so that users can access and operate with database objects or to process some tasks with a database.

A user can receive a privilege in two different ways: privileges can be granted to user explicitly; or privileges can be granted to role, and the role can be granted to one or more users. Roles allow easier and better management of privileges, thus privileges are normally granted to roles and not to specific users. Roles can be granted both to users and to roles.

A user who has granted a privilege or a role is grantor of this privilege (role).

To grant a privilege on a database object you must be an owner of this object or DBA user. To grant one or more privileges on a database object to one or more users or roles use:

GRANT "privilege" | ALL  
ON [DOCUMENT|COLLECTION] "database-object-name"  
TO "user-name|role-name" | PUBLIC

For example, the following statement:

GRANT "QUERY" ON DOCUMENT "auction" TO "Alice"

grants QUERY privilege on document auction to the user with name Alice. She will be able to perform any XQuery queries on this document.

The key word PUBLIC is used when the privileges are to be granted to all users, including those that may be created later. PUBLIC may be thought of as an implicitly defined role that every user has.

If the kind of the database object (DOCUMENT or COLLECTION) is not specified, database object is considered to be a document.

To grant a privilege on a database you must be DBA user. To grant one or more privileges on a database to one or more users or roles use:

GRANT "privilege" | ALL  
ON DATABASE  
TO "user-name|role-name" | PUBLIC

For example, the following statement:

GRANT "LOAD" ON DATABASE TO "Alice"

allows Alice to perform bulk load into the database.

To grant a role you must be allowed to grant every privilege of the role: to be owner of every database object of privileges of the role, or to be DBA user. To grant a role to another role means grantee will add grantor’s privileges to its own set of privileges. To grant a role to one or more users or roles use:

GRANT "role-name"  
TO "user-name|role_name" | PUBLIC