Sedna LogoBackground Top
 
Home  |  Getting Started  |  Documentation  |  Demo  |  Download  |  Support 

3.2 Privileges and Roles

When a database object is created, it is assigned an owner. The owner is the user that executed the creation statement. By default, only an owner and DBA user can do anything with the database object. In order to allow other users to use it, privileges must be granted.

There are several possible privileges:

  • CREATE-USER - create new user
  • CREATE-DOCUMENT - create new document
  • CREATE-COLLECTION - create new collection
  • CREATE-INDEX - create new value-based index
  • CREATE-FT-INDEX - create new full-text index
  • CREATE-TRIGGER - create new trigger
  • LOAD-MODULE - load new module into database
  • LOAD - load new document either into database or collection
  • DROP - drop index, documen, collection, user, role
  • QUERY - query document, collection or database
  • INSERT - perform update insert statements
  • DELETE - perform update delete statements
  • RENAME - perform update rename statements
  • RETRIEVE-METADATA - retrieve metadata

Privileges are assigned to database objects or to the whole database. The table below for every privilege lists all kinds of database objects or the whole database it can be assigned to.





Privilege can be assigned to




CREATE-USER DATABASE


CREATE-DOCUMENT DATABASE, COLLECTION


CREATE-COLLECTIONDATABASE


CREATE-INDEX DOCUMENT,COLLECTION


CREATE-FT-INDEX DOCUMENT,COLLECTION


CREATE-TRIGGER DOCUMENT,COLLECTION


LOAD-MODULE DATABASE


RETRIEVE-METADATA DATABASE


LOAD DATABASE, COLLECTION


DROP DOCUMENT, COLLECTION, INDEX,
MODULE, TRIGGER, FT-INDEX


QUERY DOCUMENT, COLLECTION


INSERT DOCUMENT, COLLECTION


DELETE DOCUMENT, COLLECTION


RENAME DOCUMENT, COLLECTION


Plus there is the key word ALL that denotes all possible privilege that can be granted to the specified object.

Note, DROP privilege on collection is granted to a user means that the user can drop any document in this collection (there is no such kind of database object as ’document in collection’). LOAD privilege on the database allows user to load standalone documents; LOAD privilege on a collection allows user to load documents into the collection.

Role is a named group of related privileges. Roles provide easy and controlled way to manage privileges. To create role CREATE ROLE statement is used:

CREATE ROLE "role-name"

This statement creates role with name role-name. When created role does not contain any privileges. It is not recommended to created a role with a name of an existing user (in this case privileges will be granted both to this user and to this role).

It is not allowed to use ”DBA” and ”PUBLIC” for naming roles as they are reserved by the system.

To destroy a role, use DROP ROLE:

DROP ROLE "role-name"

Role is automatically revoked from any user it was granted to.