Grantable Privilege
When you grant a definition or access privilege to a user, you can also give the user the authority to grant the same privilege to another user; in effect, to pass on the privilege. This authority is called the grantable privilege.
To give a grantable privilege to a user, you specify WITH GRANT OPTION at the end of the GRANT statement.
Giving grantable privileges is an essential technique in decentralizing security administration.
Grantable Privilege Example
In this example, the GRANT statement gives user PSD SELECT privilege on the demoempl.employee table, as well as the authority to assign that privilege to other users:
grant select on table demoempl.employee to psd with grant option;
User PSD can now use the GRANT statement to issue the SELECT privilege on the demoempl.employee table to other users.
Restrictions on Grantable Privilege
Not all privileges can be grantable privileges. These privileges cannot be grantable:
A user holding a grantable privilege does not necessarily have the authority to grant the privilege WITH GRANT OPTION.
Note: For more information about restrictions on passing grantable privilege, see the discussion of the WITH GRANT OPTION parameter under the applicable GRANT statements in the following chapters:
Omitting WITH GRANT OPTION
If you omit WITH GRANT OPTION when you grant a definition or access privilege, the named users receive the definition or access privilege, but it is not grantable. Therefore, the users cannot give the privilege to other users.
Grantable Privilege with REVOKE Statements
Unless you hold an administration privilege, you can revoke a privilege only if you hold the same grantable privilege. For example, a user cannot revoke CREATE privilege on SYSTEM88 unless the user holds grantable CREATE privilege on SYSTEM88.
|
Copyright © 2014 CA.
All rights reserved.
|
|