1- <!-- $PostgreSQL: pgsql/doc/src/sgml/ddl.sgml,v 1.28 2004/08/07 19:53:48 tgl Exp $ -->
1+ <!-- $PostgreSQL: pgsql/doc/src/sgml/ddl.sgml,v 1.29 2004/08/07 20:44:49 tgl Exp $ -->
22
33<chapter id="ddl">
44 <title>Data Definition</title>
@@ -1378,29 +1378,22 @@ ALTER TABLE products RENAME TO items;
13781378 When you create a database object, you become its owner. By
13791379 default, only the owner of an object can do anything with the
13801380 object. In order to allow other users to use it,
1381- <firstterm>privileges</firstterm> must be granted. (There are also
1382- users that have the superuser privilege. Those users can always
1381+ <firstterm>privileges</firstterm> must be granted. (However,
1382+ users that have the superuser attribute can always
13831383 access any object.)
13841384 </para>
13851385
1386- <note>
1387- <para>
1388- To change the owner of a table, index, sequence, or view, use the
1389- <xref linkend="sql-altertable" endterm="sql-altertable-title">
1390- command.
1391- </para>
1392- </note>
1393-
13941386 <para>
13951387 There are several different privileges: <literal>SELECT</>,
13961388 <literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>,
13971389 <literal>RULE</>, <literal>REFERENCES</>, <literal>TRIGGER</>,
13981390 <literal>CREATE</>, <literal>TEMPORARY</>, <literal>EXECUTE</>,
1399- <literal>USAGE</>, and <literal>ALL PRIVILEGES</>. For complete
1391+ and <literal>USAGE</>. The privileges applicable to a particular
1392+ object vary depending on the object's type (table, function, etc).
1393+ For complete
14001394 information on the different types of privileges supported by
14011395 <productname>PostgreSQL</productname>, refer to the
1402- <xref linkend="sql-grant" endterm="sql-grant-title">
1403- reference page. The following sections
1396+ <xref linkend="sql-grant"> reference page. The following sections
14041397 and chapters will also show you how those privileges are used.
14051398 </para>
14061399
@@ -1409,23 +1402,30 @@ ALTER TABLE products RENAME TO items;
14091402 the owner only.
14101403 </para>
14111404
1405+ <note>
1406+ <para>
1407+ To change the owner of a table, index, sequence, or view, use the
1408+ <xref linkend="sql-altertable"> command. There are corresponding
1409+ <literal>ALTER</> commands for other object types.
1410+ </para>
1411+ </note>
1412+
14121413 <para>
14131414 To assign privileges, the <command>GRANT</command> command is
1414- used. So , if <literal>joe</literal> is an existing user, and
1415+ used. For example , if <literal>joe</literal> is an existing user, and
14151416 <literal>accounts</literal> is an existing table, the privilege to
14161417 update the table can be granted with
14171418<programlisting>
14181419GRANT UPDATE ON accounts TO joe;
14191420</programlisting>
1420- The user executing this command must be the owner of the table. To
1421- grant a privilege to a group, use
1421+ To grant a privilege to a group, use this syntax:
14221422<programlisting>
14231423GRANT SELECT ON accounts TO GROUP staff;
14241424</programlisting>
14251425 The special <quote>user</quote> name <literal>PUBLIC</literal> can
14261426 be used to grant a privilege to every user on the system. Writing
1427- <literal>ALL</literal> in place of a specific privilege specifies that all
1428- privileges will be granted .
1427+ <literal>ALL</literal> in place of a specific privilege grants all
1428+ privileges that are relevant for the object type .
14291429 </para>
14301430
14311431 <para>
@@ -1434,13 +1434,24 @@ GRANT SELECT ON accounts TO GROUP staff;
14341434<programlisting>
14351435REVOKE ALL ON accounts FROM PUBLIC;
14361436</programlisting>
1437- The special privileges of the table owner (i.e., the right to do
1437+ The special privileges of the object owner (i.e., the right to do
14381438 <command>DROP</>, <command>GRANT</>, <command>REVOKE</>, etc.)
14391439 are always implicit in being the owner,
1440- and cannot be granted or revoked. But the table owner can choose
1440+ and cannot be granted or revoked. But the object owner can choose
14411441 to revoke his own ordinary privileges, for example to make a
14421442 table read-only for himself as well as others.
14431443 </para>
1444+
1445+ <para>
1446+ Ordinarily, only the object's owner (or a superuser) can grant or revoke
1447+ privileges on an object. However, it is possible to grant a privilege
1448+ <quote>with grant option</>, which gives the recipient the right to
1449+ grant it in turn to others. If the grant option is subsequently revoked
1450+ then all who received the privilege from that recipient (directly or
1451+ through a chain of grants) will lose the privilege. For details see
1452+ the <xref linkend="sql-grant"> and <xref linkend="sql-revoke"> reference
1453+ pages.
1454+ </para>
14441455 </sect1>
14451456
14461457 <sect1 id="ddl-schemas">
@@ -1544,12 +1555,17 @@ CREATE SCHEMA myschema;
15441555<synopsis>
15451556<replaceable>schema</><literal>.</><replaceable>table</>
15461557</synopsis>
1558+ (For brevity we will speak of tables only, but the same ideas apply
1559+ to other kinds of named objects, such as types and functions.)
1560+ </para>
1561+
1562+ <para>
15471563 Actually, the even more general syntax
15481564<synopsis>
15491565<replaceable>database</><literal>.</><replaceable>schema</><literal>.</><replaceable>table</>
15501566</synopsis>
15511567 can be used too, but at present this is just for pro-forma compliance
1552- with the SQL standard; if you write a database name it must be the
1568+ with the SQL standard. If you write a database name, it must be the
15531569 same as the database you are connected to.
15541570 </para>
15551571
@@ -1862,7 +1878,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
18621878 privileges to allow the other users to access them. Users can
18631879 then refer to these additional objects by qualifying the names
18641880 with a schema name, or they can put the additional schemas into
1865- their path, as they choose.
1881+ their search path, as they choose.
18661882 </para>
18671883 </listitem>
18681884 </itemizedlist>
0 commit comments