3.2 Privileges and Roles
When a database object is created, it is assigned an owner. The owner is the user that
executed the creation statement. By default, only an owner and DBA user can do
anything with the database object. In order to allow other users to use it, privileges
must be granted.
There are several possible privileges:
- CREATE-USER - create new user
- CREATE-DOCUMENT - create new document
- CREATE-COLLECTION - create new collection
- CREATE-INDEX - create new value-based index
- CREATE-FT-INDEX - create new full-text index
- CREATE-TRIGGER - create new trigger
- LOAD-MODULE - load new module into database
- LOAD - load new document either into database or collection
- DROP - drop index, documen, collection, user, role
- QUERY - query document, collection or database
- INSERT - perform update insert statements
- DELETE - perform update delete statements
- RENAME - perform update rename statements
- RETRIEVE-METADATA - retrieve metadata
Privileges are assigned to database objects or to the whole database. The table
below for every privilege lists all kinds of database objects or the whole database it can
be assigned to.
|
|
|
| Privilege | can be assigned to |
|
|
|
| CREATE-USER | DATABASE |
|
| CREATE-DOCUMENT | DATABASE, COLLECTION |
|
| CREATE-COLLECTION | DATABASE |
|
| CREATE-INDEX | DOCUMENT,COLLECTION |
|
| CREATE-FT-INDEX | DOCUMENT,COLLECTION |
|
| CREATE-TRIGGER | DOCUMENT,COLLECTION |
|
| LOAD-MODULE | DATABASE |
|
| RETRIEVE-METADATA | DATABASE |
|
| LOAD | DATABASE, COLLECTION |
|
| DROP | DOCUMENT, COLLECTION, INDEX, |
| MODULE, TRIGGER, FT-INDEX |
|
| QUERY | DOCUMENT, COLLECTION |
|
| INSERT | DOCUMENT, COLLECTION |
|
| DELETE | DOCUMENT, COLLECTION |
|
| RENAME | DOCUMENT, COLLECTION |
|
| |
Plus there is the key word ALL that denotes all possible privilege that can be granted
to the specified object.
Note, DROP privilege on collection is granted to a user means that the user can drop
any document in this collection (there is no such kind of database object as ’document
in collection’). LOAD privilege on the database allows user to load standalone
documents; LOAD privilege on a collection allows user to load documents into the
collection.
Role is a named group of related privileges. Roles provide easy and controlled way
to manage privileges. To create role CREATE ROLE statement is used:
CREATE ROLE "role-name"
This statement creates role with name role-name. When created role does not
contain any privileges. It is not recommended to created a role with a name of an
existing user (in this case privileges will be granted both to this user and to this
role).
It is not allowed to use ”DBA” and ”PUBLIC” for naming roles as they are reserved
by the system.
To destroy a role, use DROP ROLE:
DROP ROLE "role-name"
Role is automatically revoked from any user it was granted to.
|