* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download SQL Data Control Language - Information Products
Survey
Document related concepts
Oracle Database wikipedia , lookup
Microsoft Access wikipedia , lookup
Entity–attribute–value model wikipedia , lookup
Extensible Storage Engine wikipedia , lookup
Concurrency control wikipedia , lookup
Ingres (database) wikipedia , lookup
Functional Database Model wikipedia , lookup
Microsoft SQL Server wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Relational model wikipedia , lookup
Clusterpoint wikipedia , lookup
Transcript
Teradata Database SQL Data Control Language Release 13.0 B035-1149-098A April 2009 The product or products described in this book are licensed products of Teradata Corporation or its affiliates. Teradata, BYNET, DBC/1012, DecisionCast, DecisionFlow, DecisionPoint, Eye logo design, InfoWise, Meta Warehouse, MyCommerce, SeeChain, SeeCommerce, SeeRisk, Teradata Decision Experts, Teradata Source Experts, WebAnalyst, and You’ve Never Seen Your Business Like This Before are trademarks or registered trademarks of Teradata Corporation or its affiliates. Adaptec and SCSISelect are trademarks or registered trademarks of Adaptec, Inc. AMD Opteron and Opteron are trademarks of Advanced Micro Devices, Inc. BakBone and NetVault are trademarks or registered trademarks of BakBone Software, Inc. EMC, PowerPath, SRDF, and Symmetrix are registered trademarks of EMC Corporation. GoldenGate is a trademark of GoldenGate Software, Inc. Hewlett-Packard and HP are registered trademarks of Hewlett-Packard Company. Intel, Pentium, and XEON are registered trademarks of Intel Corporation. IBM, CICS, RACF, Tivoli, and z/OS are registered trademarks of International Business Machines Corporation. Linux is a registered trademark of Linus Torvalds. LSI and Engenio are registered trademarks of LSI Corporation. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are registered trademarks of Microsoft Corporation in the United States and other countries. Novell and SUSE are registered trademarks of Novell, Inc., in the United States and other countries. QLogic and SANbox are trademarks or registered trademarks of QLogic Corporation. SAS and SAS/C are trademarks or registered trademarks of SAS Institute Inc. SPARC is a registered trademark of SPARC International, Inc. Sun Microsystems, Solaris, Sun, and Sun Java are trademarks or registered trademarks of Sun Microsystems, Inc., in the United States and other countries. Symantec, NetBackup, and VERITAS are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Unicode is a collective membership mark and a service mark of Unicode, Inc. UNIX is a registered trademark of The Open Group in the United States and other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROVIDED ON AN “AS-IS” BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. IN NO EVENT WILL TERADATA CORPORATION BE LIABLE FOR ANY INDIRECT, DIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS OR LOST SAVINGS, EVEN IF EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The information contained in this document may contain references or cross-references to features, functions, products, or services that are not announced or available in your country. Such references do not imply that Teradata Corporation intends to announce such features, functions, products, or services in your country. Please consult your local Teradata Corporation representative for those features, functions, products, or services available in your country. Information contained in this document may contain technical inaccuracies or typographical errors. Information may be changed or updated without notice. Teradata Corporation may also make improvements or changes in the products or services described in this information at any time without notice. To maintain the quality of our products and services, we would like your comments on the accuracy, clarity, organization, and value of this document. Please e-mail: [email protected] Any comments or materials (collectively referred to as “Feedback”) sent to Teradata Corporation will be deemed non-confidential. Teradata Corporation will have no obligation of any kind with respect to Feedback and will be free to use, reproduce, disclose, exhibit, display, transform, create derivative works of, and distribute the Feedback and derivative works thereof without limitation on a royalty-free basis. Further, Teradata Corporation will be free to use any ideas, concepts, know-how, or techniques contained in such Feedback for any purpose whatsoever, including developing, manufacturing, or marketing products or services incorporating Feedback. Copyright © 2000 – 2009 by Teradata Corporation. All Rights Reserved. Preface Purpose This manual describes the SQL language statements used to assign or revoke access to the data. These statements constitute the SQL Data Control Language. This preface describes the organization of SQL Data Control Language and identifies information you should know before using it. This book should be used in conjunction with the other volumes of the SQL book set. Audience System administrators, database administrators, and security administrators are the principal audience for this book. Teradata field engineers and other technical personnel responsible for designing and maintaining a Teradata Database may also find this book useful. Supported Software Release This book supports Teradata® Database 13.0. Prerequisites If you are not familiar with Teradata Database, you will find it useful to read Introduction to Teradata and SQL Fundamentals before reading this book. You should be familiar with basic relational database management theory and technology. This book is not an SQL primer. SQL Data Control Language 3 Preface Changes To This Book Changes To This Book Date Teradata Database 13.0 April 2009 Description • Created the new SQL Data Control Language manual from the previously existing SQL Reference: Data Definition Statements manual and moved the following statements from that manual to this one: • GIVE • GRANT (Monitor, Role, and SQL forms) • GRANT LOGON • REVOKE (Monitor, Role, and SQL forms) • REVOKE LOGON • Added the following new statements: • GRANT CONNECT THROUGH • REVOKE CONNECT THROUGH • Added the following new privileges: • • • • CREATE GLOP CREATE OWNER PROCEDURE CTCONTROL DROP GLOP • • • • GLOP GLOP MEMBER SHOW STATISTICS • Added the capability of granting and revoking the INSERT and SELECT privileges at the column level. • Removed the complete list of data dictionary privilege abbreviations from GRANT (SQL Form). Teradata Database 12.0 • Added a complete list of data dictionary privilege abbreviations to GRANT (SQL Form). September 2007 4 SQL Data Control Language Preface Additional Information Additional Information URL Description http://www.info.teradata.com/ Use the Teradata Information Products Publishing Library site to: • View or download a manual: 1 Under Online Publications, select General Search. 2 Enter your search criteria and click Search. • Download a documentation CD-ROM: 1 Under Online Publications, select General Search. 2 In the Title or Keyword field, enter CD-ROM, and click Search. • Order printed manuals: Under Print & CD Publications, select How to Order. http://www.teradata.com The Teradata home page provides links to numerous sources of information about Teradata. Links include: • Executive reports, case studies of customer experiences with Teradata, and thought leadership • Technical information, solutions, and expert advice • Press releases, mentions and media resources http://teradatauniversitynetwork.com Teradata University Network fosters education on data warehousing, business intelligence (BI) and database administration (DBA). To maintain the quality of our products and services, we would like your comments on the accuracy, clarity, organization, and value of this document. Please e-mail: [email protected] References to Microsoft Windows and Linux This book refers to “Microsoft Windows” and “Linux.” For Teradata Database 13.0, these references mean: • “Windows” is Microsoft Windows Server 2003 64-bit. • “Linux” is SUSE Linux Enterprise Server 9 and SUSE Linux Enterprise Server 10. SQL Data Control Language 5 Preface References to Microsoft Windows and Linux 6 SQL Data Control Language Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Supported Software Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Changes To This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 References to Microsoft Windows and Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Chapter 1: Teradata Database Privileges . . . . . . . . . . . . . . . . . . . . . . . . . .9 Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Owners, Creators, and Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Types of Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Implicit Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Explicit Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Summary of Implicit and Explicit Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Automatically Granted Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Inherited Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 PUBLIC Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Summary of Implicit, Automatic, Explicit, and Inherited Privilege Types . . . . . . . . . . . . . . . 28 SQL Data Control Language 7 Table of Contents Chapter 2: SQL Data Control Language Statement Syntax . . .29 GIVE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 GRANT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 GRANT (Monitor Form) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 GRANT (Role Form) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 GRANT (SQL Form) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 GRANT CONNECT THROUGH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 GRANT LOGON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 REVOKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 REVOKE (Monitor Form) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 REVOKE (Role Form) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 REVOKE (SQL Form) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 REVOKE CONNECT THROUGH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 REVOKE LOGON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 Appendix A: Notation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Syntax Diagram Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Character Shorthand Notation Used In This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 8 SQL Data Control Language CHAPTER 1 Teradata Database Privileges This chapter describes the fundamental concepts behind Teradata Database privileges, including the following topics: • Privileges • Owners, Creators, and Users • Types of Privileges, including the following: • Implicit Privileges • Explicit Privileges • Automatically Granted Privileges • Inherited Privileges • PUBLIC Privileges The SQL statements used to grant and revoke the various privileges supported by Teradata Database are described in Chapter 2: “SQL Data Control Language Statement Syntax.” SQL Data Control Language 9 Chapter 1: Teradata Database Privileges Privileges Privileges Introduction DCL statements grant, transfer, and revoke the privileges associated with users, databases, and roles. Privileges are sometimes referred to as access rights, permissions, or authorizations. This documentation uses privileges because that is the term used in the ANSI SQL specifications. Privileges permit users to perform the following actions: • Monitor system-wide performance • Perform particular statements and access particular database objects • Hold membership in a role • Log onto Teradata Database. A user can acquire a privilege in several ways: • Directly by having that privilege explicitly granted on itself. • Indirectly by being assigned a role that has that privilege. • Temporarily as the immediate owner of a view, macro, or stored procedure it is performing. • By being the owner of the object. This is called an implicit privilege (see “Implicit Privileges” on page 21). The following table lists the sets of DCL statements and describes their basic functions: This DCL statement type … Performs this function with privileges … GRANT assigns them to specified users, databases, and roles. See “GRANT” on page 33. GRANT (Monitor Form) grants system-wide performance monitoring privileges. See “GRANT (Monitor Form)” on page 34. GRANT (Role Form) grants role membership to a user or role. See “GRANT (Role Form)” on page 38. GRANT (SQL Form) grants selected or all privileges to a user or database on a specified database object. See “GRANT (SQL Form)” on page 41. GRANT CONNECT THROUGH grants the ability to connect as a proxy permanent or proxy application proxy user through a specified trusted user. GRANT LOGON grants privilege to log onto Teradata Database to a user and changes current system logon defaults. See “GRANT LOGON” on page 93. 10 SQL Data Control Language Chapter 1: Teradata Database Privileges Privileges This DCL statement type … Performs this function with privileges … REVOKE rescinds them from specified users, databases, and roles. See “REVOKE” on page 98. REVOKE (Monitor Form) revokes system-wide performance monitoring privileges. See “REVOKE (Monitor Form)” on page 100. REVOKE (Role Form) revokes membership in a role from a user or role. See “REVOKE (Role Form)” on page 104. REVOKE (SQL Form) revokes selected or all privileges from a user or database on a specified database object. See “REVOKE (SQL Form)” on page 107. REVOKE CONNECT THROUGH revokes the ability to connect as a proxy permanent or proxy application proxy user through a specified trusted user. REVOKE LOGON revokes the logon privilege from a user. See “REVOKE LOGON” on page 127. GIVE transfers ownership of an object from one user or database to another user or database. Ownership implies certain privileges, so an ownership change implies implicit changes in privileges as well. See “GIVE” on page 30. GIVE does not transfer privileges for performance monitoring, roles, or logons. Storage of Privileges With the exception of implicit privileges (see “Summary of Implicit and Explicit Privileges” on page 24 and “Implicit Privileges” on page 21), Teradata Database privileges are stored in the DBC.AccessRights table in the data dictionary. Implicit privileges are not stored. SQL Data Control Language 11 Chapter 1: Teradata Database Privileges Privileges Users and Databases The difference between users and databases in Teradata Database has critical implications for matters related to privileges, and it is important to understand what those differences are. This is particularly true with respect to understanding fully the consequences of implicitly granted privileges. Formally speaking, the difference between a Teradata user and a Teradata database is that a user has a password and a database does not1 (see “CREATE USER” in SQL Data Definition Language for details). You might infer from this that databases are passive objects, while users are active objects. That is only true in the sense that databases cannot perform SQL statements. With respect to the semantics of privileges, databases are not entirely passive (see “Example Implicit Privileges” on page 21 for an example of this). 1. Users can also have default attributes such as time zone, date form, character set, role, and profile, while databases cannot. 12 SQL Data Control Language Chapter 1: Teradata Database Privileges Owners, Creators, and Users Owners, Creators, and Users Introduction With respect to privileges on database objects, Teradata users and databases are categorized as one or more of the following types: • Owner • Immediate owner • Creator • Active user Depending on the context, a Teradata Database user can be one, several, or all of these types simultaneously, while a database can only be an owner or immediate owner. It is important to understand the differences among these types because the accrual of privileges is different for each of them. Type Owner Definition Databases and users own their own space and all space that is derived from it. See “Owners of Database Objects” on page 15. Ownership extends downward throughout the user/database space hierarchy. For example, user DBC owns all database objects in a Teradata Database system because all user space derives from DBC. As a result, a database object can have multiple owners. An owner does not own itself. For example, suppose there is a database named dbl. Database dbl cannot also be an owner of database dbl. Owners can grant or revoke privileges to themselves on any objects they own. Owners implicitly hold the WITH GRANT OPTION on the objects they own. See the scenario documented in “Privileges and the Accessibility of Data By Means of a View, Macro, or Stored Procedure” on page 19 for an important consequence of this. See Database Administration for a description of ownership in a Teradata Database. Immediate Owner A database or user from whose space a database object is created or given is called the immediate owner of that object. Creator A user who performs the DDL to create a database object is called the creator of that object. See “Owners of Database Objects” on page 15. Creators are automatically granted privileges on the database objects they create. Databases can never be creators. The creator of all objects created in a proxy connection is the trusted user, not the proxy user. SQL Data Control Language 13 Chapter 1: Teradata Database Privileges Owners, Creators, and Users Type Active user Definition A user who is logged onto a session and is performing requests, either directly or by means of views, macros, stored procedures, or external authentication. Active users fall into two general categories: • Permanent A permanent user is a database user defined in Teradata Database by a CREATE USER request. A permanent user always has a password, and can optionally be defined to have permanent space, a default database, a default role, a default profile, and other attributes. • Externally authenticated An externally authorized user cannot have permanent disk space. Only externally authorized users are mapped to the generic user EXTUSER. Several subcategories of users can be defined within these categories: • Trusted users A trusted user is a permanent user that has been granted the privilege to assume the identity of a proxy user. • Proxy users A proxy user is a user who accesses Teradata Database using the session of a trusted user. There are two types of proxy users: • A Teradata Database permanent user When a proxy user is a permanent user, its privileges are either those defined for the permanent user or the roles defined for the proxy user in the proxy GRANT CONNECT privileges (see “GRANT CONNECT THROUGH” on page 83). • A user whose name is not known to Teradata Database A proxy user whose name is not known to Teradata Database is referred to as an application proxy user. The application proxy user can be any user that represents the client connecting to the middle tier such as a client name or an ATM ID. Application proxy user names are not defined in Teradata Database, so Teradata Database cannot validate application proxy user names. A connection for which the user being validated for privileges and logging is a proxy user is referred to as a proxy connection. A proxy connection uses the privileges of the proxy user. All other session-level attributes are those of the trusted user. These attributes include the following: • Account name • Spool allocations • Temporary space allocations Performance management APIs such as MonitorSession and AbortSession continue to identify the session by the trusted user name. Teradata Active System Management rules are enforced for the trusted user name, not the proxy user. 14 SQL Data Control Language Chapter 1: Teradata Database Privileges Owners, Creators, and Users Owners of Database Objects The owner of an object is a database or user that is higher than the database or user in the user/database hierarchy. THE immediate owner of a … IS the user of database … database object in which the object was created. The default database is the current database for the creating user, but you can also create an object in a different database if you fully qualify its name in the CREATE statement. • user • database space from which the PERM space for the user or database is allocated. The default immediate owner of a user or database is its creator, but the creator can specify a different immediate owning user or database by using the FROM database_name option of the CREATE DATABASE and CREATE USER statements (see “CREATE DATABASE” and “CREATE USER” in SQL Data Definition Language). You can also change ownership using the GIVE statement (see “GIVE” on page 30). An object must always have an immediate owner. The immediate owner of one or more objects cannot be dropped. An immediate owner can be dropped only after it no longer owns any objects. However, you can change the immediate owner of a database or user by submitting a GIVE statement (see “GIVE” on page 30). Creators of Database Objects The creator of an object is the user who submitted the CREATE statement for a database object. Each database object has one and only one creator. Unlike owners, creators can be dropped from the system. If a CREATE statement is run from within a macro or stored procedure, then the user who ran the macro or stored procedure is the creator of the object. SQL Data Control Language 15 Chapter 1: Teradata Database Privileges Owners, Creators, and Users Summary of the Principles of Creation and Ownership The basic principles defining a creator, an owner, and an immediate owner are described in the following table: IF … THEN you are … you run a CREATE statement that creates a database object the creator of that object. You are not necessarily either an owner, or the immediate owner, of that object. an object is directly beneath you in the user/ database hierarchy its immediate owner. you create an object in your own database both the creator and the immediate owner of that object. you create an object in the space of another user (assuming you have the privilege that allows you to do so) the creator of the object. user Admin owns you, and you create an object in your database the creator of the object. The database/user in which the object is created is its immediate owner. You are also the immediate owner of the object. User Admin is also an owner, but not the immediate owner of the object. 16 SQL Data Control Language Chapter 1: Teradata Database Privileges Types of Privileges Types of Privileges Introduction Teradata Database supports two general types of privileges: • Implicit • Explicit Definition: Privilege A privilege is a license to access or manipulate a database object. Teradata Database security uses privileges to control activities such as creating, deleting, and viewing database objects as well as running executable database objects. Implicit privileges are assumed implicitly because of object ownership. Explicit privileges are granted in three possible ways: • Explicitly Explicitly granted privileges are granted by means of a GRANT request (see “GRANT” on page 33). • Automatically Automatically granted privileges are granted by means of performing a CREATE request and creating a database object. • Inherited Inherited privileges are assigned by means of a role (see “CREATE ROLE” in SQL Data Definition Language). Inherited privileges are a form of Explicit privilege. The following graphic restates this pictorially: Explicit Privilege Privilege that you explicitly grant with the GRANT statement. Privilege that is automatically granted by the system as though a GRANT statement was issued. Implicit Privilege Inherited Privilege: Privilege that is assigned by means of a role. Privilege for a user who directly or indirectly owns an object. 1101A386 SQL Data Control Language 17 Chapter 1: Teradata Database Privileges Types of Privileges Granting Privileges to Others SQL DCL permits you to grant privileges to another user or database if you are one of the following users: • User DBC. • An owner of the object. • A user having each privilege to be granted. If the grantee is not the same as the user or database having the privilege being granted, either WITH GRANT OPTION or WITH ADMIN OPTION, as appropriate. A user might have a privilege by inheriting it from a role as a result of creating a view, macro, or stored procedure. Conceptually, all privileges are granted in the following form:2 GRANT privilege_type ON object TO user or database or role WITH GRANT OPTION; This is true whether the privileges are granted implicitly, automatically, or explicitly. The determination of whether a user can grant the ability to grant a privilege to other users or databases depends on how the WITH GRANT OPTION clause is specified in the SQL GRANT statement. IF you grant a privilege … THEN users … WITH GRANT OPTIONa can grant the privilege to another user. but do not specify WITH GRANT OPTION cannot grant privileges to another user. a. For roles, the parallel syntax to the WITH GRANT OPTION clause is WITH ADMIN OPTION. Implicit privileges always have the WITH GRANT OPTION characteristic by default. System-Granted Privileges You might see the term system-granted privileges used occasionally. These privileges are granted explicitly by a GRANT statement in a DIP script. 2. For roles, the syntax for this clause is WITH ADMIN OPTION. 18 SQL Data Control Language Chapter 1: Teradata Database Privileges Types of Privileges Privileges and the Accessibility of Data By Means of a View, Macro, or Stored Procedure The privileges required for users to access data by means of a view, macro, or stored procedure are different than the privileges required to access the same data directly. Consider the following example scenario: • You define a view v in database d2. • The base tables referenced by v are also contained within d2. • Any user that performs a SELECT request through v must have the SELECT privilege on v. • To permit a user to perform this SELECT request, d2 must also have the SELECT WITH GRANT OPTION privilege on the base tables the view references. • You revoke all explicit database, but not table, privileges from d2 by performing the following REVOKE request: REVOKE ALL PRIVILEGES ON d2 FROM PUBLIC; You might wonder if users can access the tables in d2 using v. The answer is yes if they are accessing those tables by means of a view, macro, or stored procedure. In this case, d2 is accessed through v, so when a user with the SELECT privilege on v performs the SELECT … FROM d2.v request, the system returns the requested rows. The reason for this is that d2 owns all the views and tables it contains. Because d2 is the immediate owner of these views and tables, it implicitly has the SELECT WITH GRANT OPTION privilege on them, and implicitly granted privileges cannot be revoked. The system takes advantage of this to permit users to access data indirectly through views, macros, or stored procedures. Before users can access a database object directly, they must possess explicit privileges on that object. Direct access to database objects can be controlled tightly by granting or revoking user privileges selectively to either minimize or eliminate it entirely. This ensures that users can neither access data they should not view or update, nor can they do something to an object that would compromise its integrity or the integrity of the database. The situation is different when users access a database object indirectly by means of a view, macro, or stored procedure. These objects are designed specifically to circumvent direct user access of database objects while still providing them with a method to access selected aspects of the data they contain. SQL Data Control Language 19 Chapter 1: Teradata Database Privileges Types of Privileges To support this scenario, the system permits a DBA to revoke all privileges on a base database object, whether granted explicitly or automatically, to ensure maximum security. At the same time, the immediate owner of a view, macro, or stored procedure implicitly and irrevocably possesses all privileges on those objects. This allows the system to permit users of views, macros, and stored procedures to access data indirectly using the implicit privileges granted to the immediate owner of those objects. In this case, it is the implicit privileges held by the immediate owner of the view, macro, or stored procedure that control whether a user can perform an action using that view, macro, or stored procedure to access data. The explicitly held or automatically assigned privileges the user has on those objects are not relevant. 20 SQL Data Control Language Chapter 1: Teradata Database Privileges Implicit Privileges Implicit Privileges Introduction Implicit privileges are privileges users have on database objects because they own those objects, either directly, because they are their immediate owner, or indirectly. Because of this, implicit privileges are sometimes referred to as ownership privileges. Characteristics of Implicit Privileges Implicit privileges have the following characteristics: • They cannot be revoked. • They are not logged in DBC.AccessRights. • They are implied for the owner of an object. • They are implied from the system ownership hierarchy. Duration of Implicit Privileges A database or user has implicit privileges on an object only as long as the database or user is an owner of the object. However, you can use the GIVE statement to change the ownership hierarchy (see “Transfer of Space Allocation” on page 31). Implicit privileges on an object stop once the object is dropped. If John owns SampleTable and revokes all privileges from all users, including himself, then no users, including John, even though he is the owner, can access SampleTable. However, because owning SampleTable means he has implicit privilege on it, John can grant the revoked privileges back to himself at any time. Example Implicit Privileges Even though owners have implicit privileges on their objects, they must have explicitly granted privileges on most objects to access them directly. For example, an owner of a table must have the explicitly or automatically granted SELECT privilege on that table to be able to select rows from it. Owners can grant themselves these privileges on objects they own. For example, suppose I own a table named StatusThroughYesterday that I want to make read-only. Because I own StatusThroughYesterday, I can revoke UPDATE and DELETE privileges on it from all users, including myself. When I need to update StatusThroughYesterday at the end of the current day, I can grant the UPDATE and DELETE privileges back to myself, make the necessary updates, and then revoke those privileges once again. SQL Data Control Language 21 Chapter 1: Teradata Database Privileges Explicit Privileges Explicit Privileges Introduction An explicitly granted privilege is the license to access an object, a database, or a user as granted by the granting user to a recipient user. To grant privileges explicitly, you muse use the SQL GRANT statement (see “GRANT (SQL Form)” on page 41). For example, the following GRANT request grants the SELECT privilege on table TestTable in the space belonging to UserA to the user named UserB: GRANT SELECT ON UserA.TestTable TO UserB; The grantor must have the privilege to issue the GRANT request. Awarding the Privilege to Grant Privileges A user can award the GRANT option to another user by specifying WITH GRANT OPTION when issuing a GRANT request. For example, if UserA creates TestTable in his own space and then grants UserB the privilege to select data from that table, UserA can also grant User B the privilege to grant the SELECT privilege to other users. For example: GRANT SELECT ON UserA.TestTable TO UserB WITH GRANT OPTION; Now UserB has the privilege to grant SELECT on UserA.TestTable to users UserC, UserD, and so on. Granting Explicit Privileges Automatically Teradata Database also grants explicit privileges to a user or database automatically when it creates a new object.3 For example, the system grants a newly created user the privilege to create a table in his own space automatically, and grants the creator of a table the privilege to alter or drop that table automatically. Also see “Automatically Granted Privileges” on page 25. Table-Level Privileges and Database-Level Privileges Teradata Database supports two general types of explicit privileges: table-level and database-level. The two levels are not mutually exclusive, and many privileges apply at both levels. The only exclusively table-level privileges are the following: • INDEX • REFERENCES Note that REVOKE ALL does not revoke the INDEX and REFERENCES privileges, so if you want to revoke either or both from a user, you must revoke them explicitly. 3. Some of the privileges are granted to the creator and others are granted to the newly created database or user. 22 SQL Data Control Language Chapter 1: Teradata Database Privileges Explicit Privileges Characteristics of Explicit Privileges Explicit privileges have the following characteristics: • They are stored one row per user per privilege on a database object in the DBC.AccessRights table. Teradata Database uses this table to verify privileges for a user, database, or role. • They are granted explicitly to a user/database on specific objects by another user, or automatically granted to a user/database on objects it creates. • They can be granted explicitly to a role. A role is a collection of privileges on database objects (see “CREATE ROLE” in SQL Data Definition Language). A user who is a member of a role can access all the objects on which that role has privileges. One row per role per privilege is stored in the DBC.AccessRights table. Also see “Inherited Privileges” on page 26. • They can be granted explicitly to PUBLIC. Privileges granted to PUBLIC apply to every valid, and all future, users of the system (see “PUBLIC Privileges” on page 27). Reporting the Contents of the DBC.AccessRights Table You can retrieve DBC.AccessRights rows using the DBC.AllRightsV view (see Data Dictionary). This view returns a report of all users who have explicit privileges and the objects on which those privileges are granted. SQL Data Control Language 23 Chapter 1: Teradata Database Privileges Summary of Implicit and Explicit Privileges Summary of Implicit and Explicit Privileges The following table summarizes the differences between implicit and explicit privileges: Privilege Type Implicit Description The set of privileges granted to the owner of a database object. Implicit privileges are sometimes called ownership privileges. See “Implicit Privileges” on page 21. The privilege to grant most privileges on any database, user, or database object they own is implicitly held by an owning user or database. Implicit privileges are not stored as such in DBC.AccessRights. They are derived based on the database/user ownership hierarchy. The privilege to grant and regrant privileges on any owned object cannot be revoked directly, but can be transferred to another user or database by means of the GRANT statement (see “GRANT (SQL Form)” on page 41). Implicit privileges are usually not sufficient for owners to access objects they own directly. They must also have the explicit privileges, whether granted automatically or explicitly, to access those objects. See “Example Implicit Privileges” on page 21 for details. Explicit The set of privileges granted to one user by another user or database by means of an SQL GRANT statement (see “GRANT (SQL Form)” on page 41 and “Explicit Privileges” on page 22), automatically, or by means of a role. Explicitly granted, automatically granted, and inherited privileges are sometimes grouped together as explicit privileges because the system does not discriminate between them once they have been granted. This is because rows in the DBC.AccessRights table do not record how their privileges were granted, only that they were granted. The granting user must itself, either explicitly or implicitly, have any privilege it grants to another user or database WITH GRANT OPTION. Explicit privileges are inserted into DBC.AccessRights by a GRANT statement that explicitly specifies a set of privileges on a database object. See “GRANT” on page 33 and “GRANT (SQL Form)” on page 41. Explicit privileges can be revoked at any time by any user with the authority to do so. See “REVOKE” on page 98 and “REVOKE (SQL Form)” on page 107). 24 SQL Data Control Language Chapter 1: Teradata Database Privileges Automatically Granted Privileges Automatically Granted Privileges Automatic privileges fall into two loosely related categories: • The set of privileges automatically granted on a database object to the creator of that object. • The set of privileges automatically granted to a user or database when that user or database is created. Automatic privileges are inserted into DBC.AccessRights by the CREATE statement that defines the database object. Once granted, automatic privileges are identical in form and behavior to explicitly granted privileges. SQL Data Control Language 25 Chapter 1: Teradata Database Privileges Inherited Privileges Inherited Privileges Users assigned to a role inherit all the privileges granted to that role. Inherited privileges are a subclass of explicit privileges because a set of privileges is granted explicitly to each role after it is created (see “GRANT (SQL Form)” on page 41 for an explanation of how privileges are assigned to roles). Because they are explicit privileges, inherited privilege rows are stored in DBC.AccessRights the same as any other explicit privilege. The only difference is that they are associated with a role rather than a database or user. Inherited privileges can be revoked in several ways, and at any time, in the ways listed in the following bullets: • By explicitly revoking the privilege from a role by means of the REVOKE statement (see “REVOKE” on page 98). • By revoking the role assigned to a user (see “REVOKE (Role Form)” on page 104). This action removes specified users from membership in a role, thereby indirectly revoking the privileges they inherited from that membership. Another way to specify inherited privileges is by means of the TO PUBLIC option (see “PUBLIC Privileges” on page 27) for the Monitor and SQL forms of the GRANT statement (see “GRANT (Monitor Form)” on page 34 and “GRANT (SQL Form)” on page 41). When you specify that a privilege is to be granted TO PUBLIC, that privilege is immediately inherited by all Teradata Database users on the specified object. Granting a privilege TO PUBLIC also specifies that all future Teradata Database users are to inherit that privilege on the specified object until a REVOKE … TO PUBLIC request on that privilege is submitted. 26 SQL Data Control Language Chapter 1: Teradata Database Privileges PUBLIC Privileges PUBLIC Privileges When you grant a privilege TO PUBLIC, that privilege is inherited by every valid user of your system. Furthermore, the specified privilege is inherited by all future users of your system unless you issue a REVOKE … FROM PUBLIC statement withdrawing the privilege.4 To promote optimum system responsiveness, Teradata recommends that you not use the TO object ALL option unless absolutely necessary. This is because the system inserts a row into DBC.AccessRights for every user that has the privilege.5 As the size of the DBC.AccessRights table increases, the ability of users to access objects quickly decreases because of the number of rows that must be scanned to locate a privilege for a given user. As a general rule, you should consider granting privileges at the highest level possible in order to keep the cardinality of DBC.AccessRights at a reasonable level. For example, it is often more performant to grant privileges at the database or user level instead of granting them at the level of objects contained within a database or user. 4. The effect of issuing a REVOKE ALL ON … FROM DBC request is not equivalent to the effect of issuing a REVOKE ALL ON … FROM PUBLIC request. The REVOKE ALL ON … FROM DBC form stops future users from implicitly receiving privileges on the specified object set, but does not revoke those privileges from existing users to whom the privileges were previously granted by means of a GRANT ALL ON … TO PUBLIC statement. To revoke previously granted implicit privileges, you must submit a REVOKE ALL ON … FROM PUBLIC statement. 5. This means that a row is inserted into DBC.AccessRights for each owner of a privilege, not that a row is inserted for each defined user. SQL Data Control Language 27 Chapter 1: Teradata Database Privileges Summary of Implicit, Automatic, Explicit, and Inherited Privilege Types Summary of Implicit, Automatic, Explicit, and Inherited Privilege Types The following table summarizes this information: How Granted Stored in This Table Revokable? Granted To This Type of Object Implicitly Not recordeda Nob Owner.d Automatically DBC.AccessRights Yes Creatore and created database or user. Explicitly DBC.AccessRights Yes User or database. Inherited • DBC.AccessRights • DBC.RoleGrants Yesc User through a role or PUBLIC. a. See “Summary of Implicit and Explicit Privileges” on page 24. b. Implicit privileges cannot be revoked, but they can be given away. c. Privileges inherited by means of a role can be revoked either by removing the role from a user or by revoking the privilege from a role. d. An owner can be either a database or a user. e. A creator is always a user. 28 SQL Data Control Language CHAPTER 2 SQL Data Control Language Statement Syntax This chapter describes the syntax of, and usage information for, the SQL Data Control Language statements that you can use to grant and revoke the privileges supported by Teradata Database. SQL Data Control Language 29 Chapter 2: SQL Data Control Language Statement Syntax GIVE GIVE Purpose Transfers ownership of a database or user space to another user. Also transfers all databases and users owned by the transferred database or user. Syntax GIVE database_name TO recipient_name user_name ; FF07A025 where: Syntax Element... Specifies... database_name user_name the name of the database or user whose ownership is being transferred. TO an introduction to the name of the recipient. recipient_name the name of the new immediate owner for the transferred database or user. ANSI Compliance GIVE is an extension to the ANSI SQL:2008 standard. Required Privileges You must have the DROP DATABASE privilege on the given object, and the CREATE DATABASE privilege on the recipient. The GIVE statement does not revoke any explicit privileges on the given database or user. No explicit privileges on the given database or user are granted to the new ownership hierarchy as a result of the GIVE statement, nor does the database or user being given receive any explicit privileges. The recipient of a GIVE statement cannot be owned by the given object; if A owns B, A cannot be given to B. 30 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GIVE Transfer of Space Allocation A transfer of ownership also transfers the permanent space allocated to the named database or user. This affects space allocation in the system as follows: • The aggregate number of permanent space bytes available to the former owners (the owner who submits the GIVE statement plus the owners above this owner in the hierarchy) is reduced by the number of permanent space bytes in the transferred database. This includes total space allocated to the database, plus that of all databases and users owned by the transferred database. • If the transferred database is dropped, then the number of bytes of permanent space allocated to the new immediate owner of the transferred database is increased by the number of bytes of permanent space in the transferred database. In addition, the aggregate number of bytes of permanent space available to owners above this owner in the hierarchy is increased by the number of bytes of permanent space that had been allocated to the transferred database. For example, consider the following hierarchy: DBC A (60) B (80) C (40) D (30) F (10) FF07A070 If ownership of database C is transferred to database D, the structure of the hierarchy changes as follows: DBC A (60) B (80) D (30) C (40) F (10) FF07A071 SQL Data Control Language 31 Chapter 2: SQL Data Control Language Statement Syntax GIVE When database C is transferred, database F (which is owned by C) is also transferred. • While the number of permanent space bytes allocated to database A remains the same, the aggregate number of permanent space bytes available to database A is reduced by 50 (the total number of permanent space bytes allocated to databases C and F). • The number of bytes allocated to databases D and B remains the same. • The available number of permanent space bytes, however, is increased by 50 (that is, if databases C and F were dropped, the bytes allocated to C and F are transferred to database D). • A no longer has implicit privileges on C and F. • B and D now have implicit privileges on C and F. • There is a change in the explicit privileges held by any of the databases or users. For example, if A had granted itself explicit privileges on C, or F, or on objects they contain, then D would still have those explicit privileges after you had successfully submitted the GIVE statement. Example The following statement transfers ownership of the finance database from user administrator to user Chin. GIVE Finance TO Chin; 32 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT GRANT GRANT establishes explicit privileges for one or more users, proxy users, databases, or roles. GRANT has five forms that differ both in function and in syntax: • “GRANT (Monitor Form)” on page 34, for performance monitoring of Teradata Database. • “GRANT (Role Form)” on page 38, for granting role membership to users and other roles. • “GRANT (SQL Form)” on page 41, for granting access to, creation of, or logging of, various Teradata database objects. • “GRANT CONNECT THROUGH” on page 83, for granting the ability to connect as a proxy permanent or proxy application user through a trusted user. • “GRANT LOGON” on page 93, for granting system-wide performance monitoring privileges. The SQL and MONITOR forms of GRANT are separate statements. To grant a user all privileges including MONITOR, you must perform both of the following requests: GRANT ALL PRIVILEGES ON object TO user WITH GRANT OPTION; GRANT MONITOR PRIVILEGES TO user WITH GRANT OPTION; Note that GRANT MONITOR has no ON object clause. Because this statement allows its users to impact the entire system, it implies that the privilege is ON PUBLIC. SQL Data Control Language 33 Chapter 2: SQL Data Control Language Statement Syntax GRANT (Monitor Form) GRANT (Monitor Form) Purpose Grants system-wide performance monitoring privileges. Syntax GRANT MONITOR TO A PRIVILEGES , BUT NOT monitor_privilege , monitor_privilege , A user_name ALL WITH GRANT OPTION PUBLIC ; FF07A056 where: Syntax Element … Specifies … MONITOR PRIVILEGES the named recipients are to receive all MONITOR-related privileges. MONITOR [PRIVILEGES] does not permit the user to grant the indicated privilege to others without the WITH GRANT OPTION being specified. MONITOR BUT NOT the named recipients are to receive all of the grantable privileges except those specified after BUT NOT. If the ability to grant these privileges is to be included, the WITH GRANT OPTION must be specified explicitly. monitor_privilege 34 one of the following monitor privileges: Option Description ABORTSESSION Aborts any outstanding request or ongoing transaction of one or more Teradata Database sessions and, optionally, logs off the sessions. MONRESOURCE Gathers information on the performance and availability of each PE and AMP. SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (Monitor Form) Syntax Element … Specifies … Option Description MONSESSION Gathers information about logged on sessions and overall system usage on a session-by-session basis. SETRESRATE Sets the frequency at which processor resource usage data is updated in the system. SETSESSRATE Sets the frequency at which session-level performance data is updated in the system. ALL to grant the specified object privilege set to the named database or user and to every database or user owned by that database or user now and in the future. user_name the name of a user or database to be granted the specified MONITOR privileges. user_name must be the identifier of a user already defined to the system. You can specify up to 25 names. PUBLIC that the privileges are to be inherited by all existing and future Teradata Database users. WITH GRANT OPTION that the grantee receives privileges WITH GRANT OPTION. If this option is not specified, the grantee receives the privilege set without the grant option. ANSI Compliance The monitor form of GRANT is an extension to the ANSI SQL:2008 standard. Required Privileges You must have MONITOR privileges to use the monitor form of GRANT. Be very selective about granting MONITOR privileges. These privileges should be granted only to those users who are cleared to monitor all applications on all sessions. There is no lower level of MONITOR privilege: its scope is always global. For example, the database administrator cannot grant user Addams the ability to do session-level monitoring of her applications only. Instead, the DBA would have to grant Addams the permission to do session-level monitoring of all applications by all sessions. SQL Data Control Language 35 Chapter 2: SQL Data Control Language Statement Syntax GRANT (Monitor Form) To determine who is currently using the MONITOR partition, issue the following query: SELECT UserName, IFPNo FROM DBC.SessionInfoV WHERE partition = ’MONITOR’; The GRANT statement is used only to assign specific privileges. To transfer ownership of a database or user, see “GIVE” on page 30. GRANT (SQL Form) and GRANT (MONITOR Form) The SQL and MONITOR forms of GRANT are separate statements. To grant a user all privileges, including MONITOR, the grantor must perform both statements, as in the following example. GRANT ALL PRIVILEGES ON object TO user_name WITH GRANT OPTION; GRANT MONITOR PRIVILEGES TO user_name WITH GRANT OPTION; Never specify the WITH GRANT OPTION unless you want the recipient of a privilege to be able to grant it to others. ALL PRIVILEGES refers only to database-related privileges. MONITOR PRIVILEGES indicates all monitoring-related privileges. GRANT (SQL Form) Versus GRANT (MONITOR Form) A major difference between the syntax of the GRANT (SQL Form) and GRANT (MONITOR Form) statements is that GRANT (MONITOR Form) has no clause that specifies what the privilege has been granted on. Because GRANT (MONITOR form) allows a user to impact the entire system, the permissions are implicitly ON PUBLIC. It is illegal to specify an ON object clause in any GRANT (MONITOR form) request. However, it is illegal not to specify an ON object clause in a GRANT (SQL Form) request. If you violate either of these restrictions, the system returns a failure response to the requestor. The two sets of GRANT privileges differ in function as well as in syntax. The GRANT (SQL Form) privilege set relates to controlling access to, and manipulation of, database objects, while the GRANT (MONITOR form) privilege set relates to monitoring system-wide performance. 36 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (Monitor Form) Privileges Granted Immediately GRANT MONITOR takes effect immediately when the grantee issues his next statement. It is unnecessary to log out to receive the monitor privilege just granted. Security Logging of Access Attempts If you need to maintain a security log of access attempts, see “BEGIN LOGGING” in SQL Data Definition Language. Related Topics See “REVOKE (Monitor Form)” on page 100 for information about revoking privileges granted by the Monitor form of GRANT. SQL Data Control Language 37 Chapter 2: SQL Data Control Language Statement Syntax GRANT (Role Form) GRANT (Role Form) Purpose Grants roles to users or other roles. Syntax , , GRANT role_name TO user_name role_name WITH ADMIN OPTION ; KZ01a008 where: Syntax Element … Specifies … role_name one or more comma-separated names of roles to grant to specified users or other roles. The system ignores duplicate role names. TO user_name role_name the names of role grantees. You can specify a maximum of 25 names per GRANT request. Grantees can be users or roles; however, a role cannot be granted to itself or to PUBLIC. GRANT does not produce an error if a specified role is already granted to a grantee. WITH ADMIN OPTION that the role grantees have the privilege to use DROP ROLE, GRANT, and REVOKE statements to administer the specified roles. A GRANT statement that does not include WITH ADMIN OPTION does not revoke a previously granted WITH ADMIN OPTION privilege from grantee. ANSI Compliance GRANT is ANSI SQL:2008-compliant. 38 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (Role Form) Required Privileges To grant a role, you must have the WITH ADMIN OPTION privilege on the role. The following users can grant a role to a user or other role: • User DBC. • A user who has been granted the specified role WITH ADMIN OPTION. The creator of a role is automatically granted the specified role WITH ADMIN OPTION. • A user who has an active role to which the specified role was granted WITH ADMIN OPTION. An active role can be a current role or a nested role of a current role. A grantor does not need to have any privilege, including WITH ADMIN OPTION, on the grantee to grant a privilege to it, whether the grantee is a role or a user. Restricted Privileges Roles cannot be granted on themselves or on PUBLIC, nor can they be granted any of the following privileges: • CREATE PROFILE • CREATE ROLE • CREATE USER • CTCONTROL • DROP PROFILE • DROP ROLE • DROP USER • REPLCONTROL About Roles Roles define privileges on database objects. A user who is assigned a role can access all the objects on which the role and its nested roles have privileges. Users can only be assigned a role that has been granted to them. You can grant a newly created role to a user or other role before the role has privileges on any database objects. An unlimited number of roles can be granted to a role or user. Role Hierarchy Roles can only be nested one level deep. Thus, a role that has a nested role cannot also be a nested role. This is a deviation from the ANSI SQL:2008 standard, which allows multiple nesting levels. SQL Data Control Language 39 Chapter 2: SQL Data Control Language Statement Syntax GRANT (Role Form) Example The following statements create roles called services and sales: CREATE ROLE services; CREATE ROLE sales; To make sales a nested role of services, use the following GRANT statement: GRANT sales TO services; To grant the sales role to user marks, and give marks the privilege to add other members to sales, use the following GRANT statement: GRANT sales TO marks WITH ADMIN OPTION; Related Topics See “REVOKE (Role Form)” on page 104 for information about revoking privileges granted by the Role form of GRANT. FOR more information on … SEE … granting privileges on database objects to roles “GRANT (SQL Form)” on page 41. obtaining the CREATE ROLE system privilege 40 granting CONNECT THROUGH proxy connection privileges to a permanent or application user with a set of roles “GRANT CONNECT THROUGH” on page 83 assigning default roles to users • “CREATE USER” in SQL Data Definition Language. • “MODIFY USER” in SQL Data Definition Language. changing the current role for a session “SET ROLE” in SQL Data Definition Language. SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) GRANT (SQL Form) Purpose Assigns one or more explicit privileges on a database, user, proxy logon user, table, hash index, join index, view, stored procedure, user-defined function, user-defined method, user-defined type, or macro to a role, group of roles, user, or group of users or databases. Syntax GRANT ALL ON A PRIVILEGES , privilege , privilege ALL BUT database_name user_name role_name PUBLIC A database_name. user_name. B object_name object_name procedure_name database_name. user_name. PROCEDURE SPECIFIC FUNCTION specific_function_name database_name. user_name. , function_name FUNCTION ( database_name. user_name. ) data type parameter_name TYPE UDT_name SYSUDTLIB. , role_privilege , profile_privilege , B 25 user_name TO ALL WITH GRANT OPTION ; PUBLIC , role_name database_name. user_name. SQL Data Control Language 1101W055 41 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Data Type INTEGER SMALLINT BIGINT BYTEINT DATE TIME TIMESTAMP (fractional_seconds_precision) WITH TIMEZONE INTERVAL YEAR (precision) TO MONTH INTERVAL MONTH (precision) INTERVAL DAY TO (precision) HOUR MINUTE SECOND ( fractional_seconds_precision ) INTERVAL HOUR TO (precision) MINUTE SECOND ( fractional_seconds_precision ) INTERVAL MINUTE (precision) TO SECOND ( fractional_seconds_precision ) INTERVAL SECOND (precision ) ,fractional_seconds_precision PERIOD(DATE) PERIOD(TIME PERIOD(TIMESTAMP ) (precision) WITH TIMEZONE REAL DOUBLE PRECISION FLOAT ( integer ) DECIMAL NUMERIC ( integer ) , integer A B 1101A535 42 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) A B CHAR BYTE ( integer ) GRAPHIC VARCHAR ( integer ) CHAR VARYING VARBYTE VARGRAPHIC LONG VARCHAR LONG VARGRAPHIC BINARY LARGE OBJECT ( integer BLOB ( G K M CHARACTER LARGE OBJECT CLOB UDT_name SYSUDTLIB. ST_Geometry MBR 1101A536 where: Syntax Element … Specifies … ALL [PRIVILEGES] that the specified user, database, or role is to receive all privileges that can be granted on the specified object. To include the ability for the designated user to GRANT object privileges to other users or databases, use the WITH GRANT OPTION clause. GRANT ALL means that all implicit and explicit object privileges owned by the grantor WITH GRANT OPTION that pertain to the type of object, and only those privileges, are granted on the specified database object. An error is returned if the grantor has no privileges WITH GRANT OPTION on the object. You must use the monitor form of the GRANT statement to grant monitor privileges. See “GRANT (Monitor Form)” on page 34. privilege SQL Data Control Language one of the privileges listed under the topic “ANSI Compliance” on page 30. 43 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Syntax Element … Specifies … OR specify this keyword … TO grant these privileges … AUTHORIZATION • CREATE AUTHORIZATION • DROP AUTHORIZATION DATABASE • CREATE DATABASE • DROP DATABASE DROP IF the ON clause specifies … THEN the privilege granted is … FUNCTION DROP FUNCTION PROCEDURE DROP PROCEDURE IF the ON clause specifies … THEN the privilege granted is … FUNCTION EXECUTE FUNCTION PROCEDURE EXECUTE PROCEDURE nothing EXECUTE MACRO EXECUTE 44 FUNCTION • CREATE FUNCTION • DROP FUNCTION GLOP • CREATE GLOP • DROP GLOP MACRO • CREATE MACRO • DROP MACRO PROCEDURE • CREATE PROCEDURE • DROP PROCEDURE TABLE • CREATE TABLE • DROP TABLE TRIGGER • CREATE TRIGGER • DROP TRIGGER SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Syntax Element … Specifies … OR specify this keyword … TO grant these privileges … USER • CREATE USER • DROP USER VIEW • CREATE VIEW • DROP VIEW Note that the INSERT, REFERENCES, SELECT, and UPDATE privileges have both table- and column-level options. See “REFERENCES” on page 56. The DELETE privilege applies only to the DELETE DML statement, not to DELETE USER or DELETE DATABASE, which are granted by DROP USER and DROP DATABASE, respectively. See also “Rules for privilege Keywords” on page 53. However, for a full explanation of the privileges a specific statement requires, see its Authorization section in the appropriate volume of the SQL book set. With the exception of the following items, the privileges do not directly correspond to an SQL statement: THIS privilege … REFERS to … CHECKPOINT both to the execution of the SQL statement and the Host Utilities (HUT) commands DUMP and RESTORE. DUMP the corresponding HUT command performed on the specified object. EXECUTE FUNCTION a UDF function call. EXECUTE PROCEDURE the corresponding CALL statement. INDEX the CREATE and DROP INDEX and COLLECT and DROP STATISTICS statements. REFERENCES columns referenced in a FOREIGN KEY clause of a CREATE or ALTER TABLE statement. RESTORE the corresponding HUT command performed on the specified object and to the execution of the following additional HUT commands: • DELETE JOURNAL • ROLLBACK • ROLLFORWARD SQL Data Control Language 45 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Syntax Element … Specifies … profile_privilege one of the following profile privileges: • CREATE PROFILE • DROP PROFILE • PROFILE PROFILE is not a separate privilege. It is a shorthand way to specify both CREATE PROFILE and DROP PROFILE. Profile privileges can only be granted to a set of users or to a role. They cannot be granted on an object. Specify PROFILE to grant the CREATE PROFILE and DROP PROFILE privileges. role_privilege one of the following role privileges: • CREATE ROLE • DROP ROLE • ROLE ROLE is not a separate privilege. It is a shorthand way to specify both CREATE ROLE and DROP ROLE. Role privileges cannot be granted to a role or to PUBLIC. Specify ROLE to grant the CREATE ROLE and DROP ROLE privileges. ALL BUT the named user is to receive all privileges that can be granted on the specified object except for those specified in the privilege list. As in ALL, only those object privileges owned by the grantor WITH GRANT OPTION are granted. ALL BUT is a Teradata extension to the ANSI SQL:2008 standard. Granting privileges on a database or user is a Teradata extension to the ANSI SQL:2008 standard. database_name | user_name | role_name | PUBLIC the name of a database, user, role or PUBLIC on which the explicitly granted privileges are to be granted. All objects contained by this database or user space are affected. [PROCEDURE] [database_name | user_name] procedure_name that the object is a stored procedure. PROCEDURE is optional if the privilege being granted contains the PROCEDURE keyword. See “Stored Procedure-SpecificPrivileges” on page 68. You can qualify procedure_name by its containing database_name or user_name if necessary. IF you specify PROCEDURE, you can specify … AS privilege to grant this privilege … EXECUTE EXECUTE PROCEDURE. DROP DROP PROCEDURE. You must grant the ALTER EXTERNAL PROCEDURE and CREATE EXTERNAL PROCEDURE privileges explicitly. 46 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Syntax Element … Specifies … SPECIFIC FUNCTION [database_name | user_name] specific_function_name the specific name of the function on which a privilege set is to be granted. The SPECIFIC FUNCTION keywords must be specified when a privilege is granted on an overloaded function. You can qualify specific_function_name by its containing database_name or user_name if necessary. FUNCTION [database_name | user_name] function_name the name of the function on which a privilege set is to be granted. FUNCTION is optional if the privilege being granted contains the FUNCTION keyword. The FUNCTION keyword must be specified when a privilege is granted on a function by its calling name. You can qualify function_name by its containing database_name or user_name if necessary. [parameter_name] data_type a parenthetical comma-separated list of data types and optional parameter names for the variables to be passed to the function. The data types are required to discriminate among overloaded functions that have the same name. BLOB and CLOB types must be represented by a locator (see “USING Request Modifier” in SQL Data Manipulation Language for a description of locators). Teradata Database does not support in-memory LOB parameters: an AS LOCATOR phrase must be specified for each LOB parameter and return value. You must specify opening and closing parentheses even if no parameters are passed to the function. If you specify one parameter name, then you must specify names for all the parameters passed to the function (see “HELP FUNCTION” in SQL Data Definition Language). The data type associated with each parameter is the type of the parameter or returned value. All Teradata Database data types are valid. Character data can also specify a CHARACTER SET clause. TYPE [SYSUDTLIB.] UDT_name the name of a UDT on which a privilege set is to be granted. The various TYPE privileges can be granted as follows: THIS privilege … CAN be granted on … UDTMETHOD SYSUDTLIB database. UDTTYPE UDTUSAGE database_name | user_name SQL Data Control Language • SYSUDTLIB database. • TYPE. the name of a database or user on which the privileges are to be granted. All objects in this database or user space are affected. 47 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Syntax Element … Specifies … database_name. object_name | user_name.object_name the name of the immediately owning database or user and the name of the object (table, view, stored procedure, or macro) on which the privileges are to be granted. Only the named object is affected. object_name the name of the object (table, view, join index, function, stored procedure, or macro) on which the privileges are to be granted. You should always qualify object names when granting privileges because the system checks for matching database names before checking for object names. [ALL] user_name IF … THEN the system … the object name is not qualified and the system finds a database with that name assumes it is a database name. the object name is not qualified and no database having that name is found assumes it is an object within the current default database. neither a database nor an object is found returns an error to the requestor. the name of a database or user that identifies the recipient. user_name must be the identifier of a user already defined to the system. You can specify a maximum of 25 names per GRANT request. If you specify ALL, then the object privileges are granted to the named database or user and to every database or user owned by that database or user now and in the future. ALL is a Teradata extension to the ANSI SQL:2008 standard. PUBLIC that the privileges are inherited by all existing and future Teradata Database users and databases. WITH GRANT OPTION that the grantee receives the granted privileges WITH GRANT OPTION. database_name | user_name the containing database or user for role_name, if something different from the current database or user. role_name the name of a role. This option does not apply to grantees that are roles. A GRANT statement that specifies WITH GRANT OPTION when there is a role in the list of grantees aborts and returns an error message. The role must already be defined to the system. The CREATE forms of DATABASE, FUNCTION, MACRO, TABLE, VIEW, PROCEDURE, or USER, and the DROP forms of DATABASE and USER are allowed only on databases or users. You cannot grant any of these privileges to roles. 48 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Syntax Element … Specifies … REPLCONTROL the REPLCONTROL privilege. REPLCONTROL control two separate functions: • The privilege to define and manage replication groups. • The ability to run SQL statements that change columnar data values for a table when that table is in a state that would not otherwise allow changes to be made. ANSI Compliance The SQL form of GRANT is ANSI SQL:2008-compliant with extensions. ANSI SQL:2008 supports the following privileges in common with Teradata SQL: • DELETE • EXECUTE • INSERT [(column_list)] • REFERENCES [(column_list)] • UPDATE [(column_list)] • SELECT [(column_list)] • TRIGGER The term [(column_list)] following a privilege indicates a parenthetically enclosed set of optional comma-separated column names to which the privilege is to be granted. The privileges in the following list are Teradata extensions to the privileges defined in the ANSI SQL:2008 standard: SQL Data Control Language 49 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) • ABORT SESSION • ALTER EXTERNAL PROCEDURE • ALTER FUNCTION • ALTER PROCEDURE • AUTHORIZATION • CHECKPOINT • CREATE AUTHORIZATION • CREATE DATABASE • CREATE EXTERNAL PROCEDURE • CREATE FUNCTION • CREATE GLOP • CREATE MACRO • CREATE OWNER PROCEDURE • CREATE PROCEDURE • CREATE PROFILE • CREATE ROLE • CREATE TABLE • CREATE TRIGGER • CREATE USER • • • • • • • • • • • • • • • • • • • • • • CREATE VIEW CTCONTROL DATABASE DROP DROP AUTHORIZATION DROP DATABASE DROP FUNCTION DROP GLOP DROP MACRO DROP PROCEDURE DROP PROFILE DROP ROLE DROP TABLE DROP TRIGGER DROP USER DROP VIEW DUMP EXECUTE FUNCTION EXECUTE PROCEDURE FUNCTION GLOP GLOP MEMBER • • • • • • • • • • • • • • • • • • • INDEX MACRO MONITOR RESOURCE MONITOR SESSION PROCEDURE REFERENCES ALL BUT … [(column_list)] REPLCONTROL RESTORE SET RESOURCE RATE SET SESSION RATE SHOW STATISTICS TABLE UDTMETHOD UDTTYPE UDTUSAGE UPDATE ALL BUT … [(column_list)] USER VIEW The following privileges are defined in the ANSI SQL:2008 standard, but are not valid in Teradata SQL: • SELECT [(privilege_method_list)] • UNDER • USAGE Required Privileges You must be one of the following to grant privileges on an object using the SQL GRANT statement: • User DBC. • An owner of the object. There is a subtle security issue associated with this. See “Security Considerations With CREATE MACRO Privilege” on page 57 for details. • A user possessing each privilege to be granted. A user might have a privilege either by having been granted it explicitly or by inheriting it from a role as a result of creating a view, macro, or stored procedure. 50 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Note the following details: • A user need not be related to a grantor through ownership to receive a privilege. A grantor does not need to have any privilege, including WITH ADMIN OPTION, on the grantee to grant a privilege to it, whether the grantee is a role, a user, database, or PUBLIC. • If a GRANT statement is on a database or user, the privilege applies to all objects, both current and future, created in that space. If a REVOKE statement later removes the privilege, the privilege is dropped for all objects, regardless of when they were created. A REVOKE statement at the object level cannot remove a privilege from that object that was granted on the database or user. • When you specify the WITH GRANT OPTION phrase, the recipient of the privilege can then grant that privilege to other users. An owner implicitly has the WITH GRANT OPTION privilege on any database, user, or object it owns. An owner can explicitly grant any or all privileges on any of the following … • a child database • a child user • a database object TO … • • • • any other database any other user a role PUBLIC • Any privilege granted automatically or explicitly1 can be revoked using the REVOKE statement. See “REVOKE (SQL Form)” on page 107. • Implicit privileges cannot be revoked. Multiple Privileges Specified by a Single Keyword Teradata Database has a special category of keywords that you can use to grant multiple privileges. For example, the following GRANT request grants both the CREATE DATABASE and DROP DATABASE privileges to user df2 using the keyword DATABASE: GRANT DATABASE on df2; The following table lists this class of keywords and indicates the multiple privileges that they confer when they are granted on a user or database: The following keyword … Indicates the following privileges … ALL all implicit and explicit object privileges owned by the grantor WITH GRANT OPTION that pertain to the type of object specified, and only those privileges, are granted on the specified database object. 1. That is, any explicit privilege. SQL Data Control Language 51 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) The following keyword … Indicates the following privileges … CHECKPOINT • ability to execute the CHECKPOINT SQL statement. • ability to execute the HUT CHECKPOINT command. DATABASE • CREATE DATABASE • DROP DATABASE FUNCTION • CREATE FUNCTION • DROP FUNCTION GLOP • CREATE GLOP • DROP GLOP INDEX • • • • MACRO • CREATE MACRO • DROP MACRO PROCEDURE • CREATE PROCEDURE • DROP PROCEDURE PROFILE • CREATE PROFILE • DROP PROFILE RESTORE ability to execute the following HUT commands on the specified object: COLLECT STATISTICS CREATE INDEX DROP INDEX DROP STATISTICS • DELETE JOURNAL • ROLLBACK • ROLLFORWARD ROLE • CREATE ROLE • DROP ROLE SHOW the ability to execute the following SQL statements only: • HELP database_object • SHOW database_object 52 TABLE • CREATE TABLE • DROP TABLE TRIGGER • CREATE TRIGGER • DROP TRIGGER USER • CREATE USER • DROP USER VIEW • CREATE VIEW • DROP VIEW SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Privilege Abbreviations See Data Dictionary for a complete list of privileges and their abbreviations as maintained in DBC.AccessRights. You cannot use these abbreviations in a GRANT (SQL Form) request. Instead, you must specify the complete privilege name. Rules for privilege Keywords The following rules apply to using the privilege keywords. • You can specify any combination of privileges. However, the user submitting the statement must have privileges on all of the specified privileges for the system to grant them. • The recipient of a privilege can perform the corresponding statement against the object on which the privilege was granted. For example, if user_1 receives the CREATE TABLE privilege on database DbTest, user_1 can then perform a CREATE TABLE statement in which the new table is directed to DBTest, where the target database is resolved either implicitly, as determined by the default database for user1, or explicitly with a fully qualified table name. • The CHECKPOINT privilege refers to the execution of both the SQL statement and the Host Utilities (HUT) command. The DUMP and RESTORE privileges refer to the corresponding HUT command performed on the specified object. RESTORE also refers to execution of the HUT commands ROLLBACK, ROLLFORWARD, and DELETE JOURNAL. • The CREATE forms of DATABASE, FUNCTION, MACRO, TABLE, VIEW, PROCEDURE, or USER, and the DROP forms of DATABASE and USER are allowed only on databases or users. • DROP TABLE authorizes the following statements on the tables: • ALTER TABLE • COLLECT STATISTICS • CREATE INDEX • DROP INDEX • DROP STATISTICS • DROP MACRO, PROCEDURE, or VIEW includes REPLACE MACRO, PROCEDURE, or VIEW. • Only DROP MACRO and EXECUTE are allowed on macros. • Only ALTER PROCEDURE, DROP PROCEDURE, EXECUTE PROCEDURE, and CREATE OWNER PROCEDURE are allowed on stored procedures. • CREATE OWNER PROCEDURE is an explicit privilege that must be granted explicitly to a user or database. Because it is the responsibility of each site to control its own security, the DBA or Security Administrator should take the appropriate actions to prevent the CREATE OWNER PROCEDURE privilege from being granted indiscriminately. • SQL Data Control Language ALTER EXTERNAL PROCEDURE is required to change the execution state of an external procedure between the PROTECTED and NOT PROTECTED states using the ALTER PROCEDURE (External Form) statement (see SQL Data Definition Language). 53 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) • Only ALTER FUNCTION, DROP FUNCTION, and EXECUTE FUNCTION are allowed on user-defined functions. • DUMP, RESTORE, INDEX, and CHECKPOINT are not allowed on views. • DATABASE, FUNCTION, INDEX, GLOP, MACRO, PROCEDURE, PROFILE, ROLE, TABLE, USER, and VIEW confer both CREATE and DROP privileges. If the DATABASE, FUNCTION, INDEX, GLOP, MACRO, PROCEDURE, PROFILE, ROLE, TABLE, USER, or VIEW keyword is specified without CREATE or DROP, both CREATE and DROP are assumed by default. • INDEX authorizes the following statements on the tables: • COLLECT STATISTICS • CREATE INDEX • DROP INDEX • DROP STATISTICS If INDEX is granted on all of the base tables of a join index, INDEX also allows COLLECT and DROP STATISTICS on the join index. • INSERT, REFERENCES, SELECT, and UPDATE have both table- and column-level options. • You cannot grant the UPDATE privilege on a GENERATED BY DEFAULT identity column. • You cannot grant privileges on a trigger, only on the database or table to which the trigger applies. The CREATE TRIGGER and DROP TRIGGER privileges are granted to a user, either on the specified database or on the subject table of the trigger. • You can grant CREATE ROLE, DROP ROLE, CREATE PROFILE, and DROP PROFILE privileges to users only, not to roles, databases, or PUBLIC. • CREATE ROLE, DROP ROLE, CREATE PROFILE, and DROP PROFILE are system privileges; you grant the privileges to a user, but not on a specific object. • With respect to collecting or dropping statistics, the STATISTICS privilege has the same effect as either INDEX or DROP TABLE, but does not grant users the wider capabilities associated with those privileges. STATISTICS can be granted at both the table and database levels. • You cannot grant external roles with the GRANT statement. You can only grant individual privileges and database roles to external roles within Teradata Database. See Security Administration and Database Administration for details. • A GRANT or REVOKE request for the CTCONTROL and REPLCONTROL system privileges can only be submitted by user DBC or by a user who has previously been granted the privilege WITH GRANT OPTION. • The name of the user you specify when you grant the CTCONTROL or REPLCONTROL privilege must be a unique identifier that is assigned to an existing system user. It cannot be the name of a role defined in the system. Be very careful about granting system privileges like REPLCONTROL, because they apply to all database objects in the system. 54 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) • When you specify the phrase GRANT OPTION FOR in a REVOKE request, the system removes only the ability of the recipient to grant the privilege to others. The system does not remove the specified privilege itself when you specify GRANT OPTION FOR in a REVOKE request. • The SHOW privilege enables a user to view the definition (using a SHOW object_type request), or request help about definitions and other information (using a HELP object_type request) for a database object without also being able to change the definition of the object or retrieve rows from it. SHOW, which must be granted explicitly, can be granted at the object and database levels. The creator of an object does not receive the SHOW privilege automatically on the object it creates. User DBC can also grant this privilege on the dictionary tables to other users/ databases. You can use SHOW to provide access to statements such as SHOW TABLE, HELP TABLE, and HELP STATISTICS that require any privilege of any kind. All statements that require any privilege can also use SHOW. This privilege provides a DBA with the ability to grant a user the ability to SHOW a table or view, or do HELP STATISTICS, and so on without having SELECT access to a table. Differences Between GRANT and GIVE The GRANT statement is used only to assign specific privileges, while the GIVE statement transfers the ownership of a database or user to another database or user. See “GIVE” on page 30 for details. Privileges Are Granted Immediately GRANT takes effect immediately when the grantee issues their next statement. You do not need to log out to receive a privilege that was just granted to you. Object Names The element object_name is the name of a table, join index, hash index, view, stored procedure, user-defined function, user-defined method, user-defined data type, or macro. If the form of the privileges option includes a set of column names, then object_name must specify either a table or view. If object_name is not qualified by either a database name or user name and there is an object having that same name both under the current database of the executing user and that of the grantee, then it is assumed that the object is that in the current database of the executing user. The only exception to this is for all objects related to UDTs, including UDT-related UDFs and UDMs, all of which must be contained within the SYSUDTLIB database. An unqualified object_name is considered to be that of the current database if the name is that of the current database and also the name of a table either within the current database or within the database of the grantee. SQL Data Control Language 55 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) REFERENCES The REFERENCES privilege applies at both the table and column levels. It is required on all columns referenced, whether implicitly or explicitly, in a FOREIGN KEY clause of a CREATE TABLE or ALTER TABLE statement. The system grants this privilege automatically, with grant authority, to the creator of a table. Owners acquire the privilege implicitly. If you specify a column list (a list of parenthetically enclosed, comma-separated column names, for example (column_name_1, ..., column_name_n)) with the keywords INSERT, REFERENCES, SELECT, or UPDATE, and the specified grantee set already has the privilege specified at the table level with the indicated grant authority, then the system accepts the statement but takes no action. This is because having INSERT, REFERENCES, SELECT, or UPDATE privileges at table level also enables that action against all of its columns. INDEX The INDEX privilege only applies at table level. You must have either this privilege or DROP TABLE to perform the CREATE or DROP INDEX and COLLECT or DROP STATISTICS statements. The system implicitly gives this privilege, with grant authority, to the immediate owner of the table at the time of creation. Column-Level Privileges The DBC.AccessRights table stores the field ID of a column on which an INSERT, REFERENCES, SELECT, or UPDATE privilege has been granted. The column type is non-null SMALLINT. If the privilege defined by the row is not at the column level then the value of the column is set to zero. Column-level privileges are held implicitly by the owners of a table. As is always true for implicit privileges, a row is not inserted into DBC.AccessRights for implicit column-level privileges. Rows are also not generated in DBC.AccessRights for individual columns when the INSERT, REFERENCES, SELECT, or UPDATE privileges are granted at the table level. Rows are generated in DBC.AccessRights only for privileges granted by a GRANT statement at the column level when the grantee does not have the privilege at the table level. The only exception is the case of a user or database that has a privilege at table level but without GRANT authority and who then is granted the same privilege on an individual column of the same table with grant authority. Privileges Required to Perform UPDATE, DELETE, and INSERT Operations Any user who needs to perform any form of update, delete, or insert operations, including the insert and update operations performed by a MERGE request, must be granted the SELECT privilege on all columns that are read by the delete, insert, merge, or update request from which that user needs to read values. For the INSERT statement, SELECT privileges are required only if a table is to be reflexively grown by INSERT … SELECT statements performed on itself. 56 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) If the column being updated, deleted, or inserted into has a UDT type, then you must also have the UDTUSAGE or UDTTYPE privilege on that UDT. Be careful when granting the delete privilege through a view because data in columns that are not defined in the view (and which might be important to the enterprise) might unsuspectingly be deleted when an unknowing user deletes a row through a view. Security Considerations With CREATE MACRO Privilege Before you grant CREATE MACRO on a database or user, it is extremely important to realize that the recipient of that privilege can create and perform macros that have all the privileges of that database or user. This is because for CREATE MACRO, the privileges are inherited from the immediate owner of the macro, not from its creator. As a result, the grantee can create macros that contain DCL and DDL statements that are not checked for the privileges of the creator. This means that you are implicitly assigning privileges to the macro creator that they have no explicit, implicit, or automatic privilege to perform. This might not be a desirable result and you should be exceedingly careful when granting this privilege. For example, consider the scenario presented in the following graphic. SysAdmin DBA DBA GRANT CREATE MACRO ON Compensation TO CompAnalyst 6; CompAnalyst 6 Compensation CREATE MACRO everything AS (GRANT ALL PRIVILEGES ON Compensation TO CompAnalyst 6;); 1101B001 The compensation database is owned by user DBA. User SysAdminDBA, the system administrator for compensation, has privileges on compensation, including CREATE MACRO WITH GRANT OPTION, and on all objects owned by compensation. SysAdminDBA can also effectively grant herself any of the following: • Privileges on objects owned by compensation. • Privileges that compensation has WITH GRANT OPTION. • Any implicit privileges owned by compensation. SysAdminDBA creates user CompAnalyst6 for an entry level programmer who has been assigned to produce compensation reports for several routine audits performed by various state and federal regulatory agencies. To ensure that CompAnalyst6 does not have access to SQL Data Control Language 57 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) critical private employee base salary and bonus information, she has been granted only a restricted set of privileges on objects in the compensation database. To make it easier for CompAnalyst6 to create the reports, SysAdminDBA also grants her the CREATE MACRO privilege on compensation as follows: GRANT CREATE MACRO ON compensation TO companalyst6; Because the privileges for executing macros in compensation derive from compensation, CompAnalyst6 can create and perform macros that report on just the sort of private data she was meant to be restricted from viewing. For example, CompAnalyst6 can grant herself full access to all tables in the database through a simple macro and then create any database object or perform a query that reports on salary and bonus data for each employee in the enterprise in the three quick steps outlined in the following procedure: 1 CREATE MACRO everything AS (GRANT ALL PRIVILEGES ON compensation TO companalyst6;); 2 EXECUTE MACRO everything; 3 SELECT * FROM salary, bonus; 4 End of procedure. CompAnalyst6 is also able to modify data and drop tables in the compensation database. Logging Access Attempts If you need to maintain a security log of access attempts, you can use the access logging feature to do so (see “BEGIN LOGGING” in SQL Data Definition Language). Restrictions on Granted Privileges When a user explicitly grants privileges to another user, database, role, or PUBLIC, there are rules that determine whether, how, and on what object the requested privilege can be implemented. The restrictions that apply to explicitly granted privileges are detailed in the following table. The first column of the table lists the privilege type, the second column describes restrictions if the privilege is granted on a database, user, role, or PUBLIC, and the third column describes restrictions if the privilege is granted on a table, view, function, stored procedure, method, UDT, or macro. 58 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Privilege ALL Object (Database, User, Role, PUBLIC) All privileges the grantor can grant on an object. • Grants UDTMETHOD on the SYSUDTLIB database. If granted WITH GRANT OPTION, permits grantee to grant others UDTMETHOD, UDTTYPE, and UDTUSAGE, optionally WITH GRANT OPTION. Table, View, Function, GLOP, Method, UDT, Procedure, or Macro The following are true only if the grantor owns the privilege: • Grants EXECUTE and DROP on a macro. • Grants DROP, DELETE, INDEX, INSERT, REFERENCES, SELECT, UPDATE, RESTORE, CREATE TRIGGER, DROP TRIGGER, and DUMP on a data table. • Grants DROP on hash and join indexes. • Grants DROP, DELETE, INSERT, SELECT, and UPDATE on a view. • Grants INSERT, DUMP, RESTORE, and CHECKPOINT on a journal table. • Grants ALTER PROCEDURE, DROP PROCEDURE, and EXECUTE PROCEDURE privileges on a stored procedure. • Grants ALTER FUNCTION, DROP FUNCTION, and EXECUTE FUNCTION privileges on a specified user-defined function. • Grants CREATE GLOP, GLOP, and DROP GLOP to a user. • Grants GLOP MEMBER to a specified user or database. ALTER FUNCTION ALTER PROCEDURE Privilege applies to all user-defined functions or internal stored procedures in the specified space. Privilege applies to the specified user-defined functions or internal stored procedures. ALTER EXTERNAL PROCEDURE Privilege applies to all external stored procedures in the specified space. Privilege applies to the specified external stored procedure. CHECKPOINT Privilege applies to the journal table in the specified database. Privilege applies to the named journal table. CREATE DATABASE CREATE USER CREATE granted for the specified space. Not applicable. CREATE EXTERNAL PROCEDURE CREATE FUNCTION CREATE MACRO CREATE PROCEDURE CREATE TABLE CREATE VIEW CREATE granted for the object type for the specified space. Not applicable. CREATE GLOP CREATE granted for the specified user. This privilege is not granted automatically when a user or database is created. SQL Data Control Language 59 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Privilege GLOP MEMBER Object (Database, User, Role, PUBLIC) Table, View, Function, GLOP, Method, UDT, Procedure, or Macro Privilege enables an external routine to access the GLOP set specified in the MEMBER OF GLOP SET clause of its definition when that GLOP set is not contained within the containing user or database for the routine. This privilege is not granted automatically when a user or database is created. CREATE PROFILE CREATE ROLE CREATE PROFILE and CREATE ROLE cannot be granted on an object. CREATE PROFILE and CREATE ROLE cannot be granted on an object. CREATE TRIGGER CREATE granted for the object type for the specified space. CREATE granted for the specified table. CTCONTROL Privilege is granted to or revoked from user objects. CTCONTROL can only be granted to a user. User DBC can grant CTCONTROL to any other user WITH GRANT OPTION. DATABASE FUNCTION GLOP INDEX MACRO PROCEDURE PROFILE ROLE TABLE TRIGGER USER VIEW CREATE and DROP granted for the type for the specified space. Not applicable. DELETE INSERT SELECT UPDATE Privilege applies to all tables or views in the specified database. Privilege applies only to the specified table, view, or columns. UPDATE, INSERT, and SELECT apply to a table or column set of the table. UPDATE cannot be granted on a GENERATED ALWAYS identity column. For a grantee to use the granted privileges on a view, the immediate owner of a view must have appropriate privileges on the tables and views referenced by the view. For a grantee to use the granted privileges on a view, the immediate owner of a view must have appropriate privileges on the tables and views referenced by the view. Not applicable. DROP granted for specified: DROP TRIGGER applies to the table on which a trigger is defined. • Stored procedures when PROCEDURE is specified before the procedure name or for the specified function. • Functions when FUNCTION or SPECIFIC FUNCTION is specified before the function name. DROP DATABASE DROP USER 60 DROP granted for the specified space. Not applicable. SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Privilege Object (Database, User, Role, PUBLIC) DROP FUNCTION DROP MACRO DROP PROCEDURE DROP TABLE DROP TRIGGER DROP VIEW DROP granted for the object type for the specified space. Table, View, Function, GLOP, Method, UDT, Procedure, or Macro DROP granted for the specified user-defined function, macro, stored procedure, table, or view. DROP TABLE also grants the privilege to collect statistics on an eligible database object. DROP TRIGGER applies to the table on which a trigger is defined. DROP GLOP DROP granted for the specified GLOP set to the specified user or database. This privilege is not granted automatically when a user or database is created. This privilege is automatically granted to the creator and owner of the GLOP set. DROP PROFILE DROP ROLE DROP PROFILE and DROP ROLE can only be granted to a user or role. They cannot be granted on an object. DROP PROFILE and DROP ROLE can only be granted to a user or role. They cannot be granted on an object. DUMP RESTORE Privilege applies to all tables in the specified database. Privilege applies to the named data table or journal table only. EXECUTE Privilege applies to all user-defined functions or macros in the specified database. Privilege applies to the specified macro if the keywords FUNCTION, SPECIFIC FUNCTION, or PROCEDURE are not specified. For the grantee to use the privilege on a user-defined function or macro, the immediate owner of the macro or UDF must have appropriate privileges on the objects referenced by the macro or UDF. For the grantee to use the privilege on a user-defined function or macro, the immediate owner of the macro must have appropriate privileges on the objects referenced by the macro. Privilege applies to the specified user-defined functions or stored procedures if the keywords FUNCTION, SPECIFIC FUNCTION, or PROCEDURE are specified. EXECUTE FUNCTION Privilege applies to all user-defined functions or stored procedures in the specified space. Privilege applies to the specified user-defined functions or stored procedures. EXECUTE PROCEDURE For the grantee to use the privilege on a procedure, the immediate owner of the stored procedure must have the appropriate privileges on the objects referenced by the stored procedure. For the grantee to use the privilege on a procedure, the immediate owner of the stored procedure must have the appropriate privileges on the objects referenced by the stored procedure. INDEX Not applicable. Privilege applies on a table or hash or join index. INDEX also grants the privilege to collect statistics on an eligible database object. SQL Data Control Language 61 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Privilege Object (Database, User, Role, PUBLIC) Table, View, Function, GLOP, Method, UDT, Procedure, or Macro PROFILE ROLE CREATE PROFILE, DROP PROFILE, CREATE ROLE, and DROP ROLE can only be granted to users and roles. They cannot be granted on an object. CREATE PROFILE, DROP PROFILE, CREATE ROLE, and DROP ROLE can only be granted to users and roles. They cannot be granted on an object. REFERENCES Not applicable. Privilege applies on a table or column of the table. REPLCONTROL Privilege is a total system privilege and is not granted to or revoked from specific tables or databases. REPLCONTROL can only be granted to a user. User DBC can grant REPLCONTROL to any other user WITH GRANT OPTION. SHOW Not applicable. Privilege applies on a table, hash or join index, or database. Privilege does not allow the grantee the ability to perform any operations on the granted database object other than to make a HELP or SHOW request against it. STATISTICS Not applicable. Grants same privilege to collect statistics as DROP TABLE or INDEX. Privilege applies on a table, hash or join index, or database. UDTMETHOD Can only be granted on the SYSUDTLIB database. Not applicable. Privilege applies to all UDTs, UDMs, and UDFs contained within the SYSUDTLIB database. Effectively grants UDTUSAGE on all UDTs contained within SYSUDTLIB as well as UDTTYPE on the SYSUDTLIB database. Privilege applies to the specified UDT object. • Grants ability to access a UDT column in a table or view. • Grants CREATE TYPE, ALTER TYPE, and DROP TYPE including method signatures. • Grants CREATE ORDERING and DROP ORDERING. • Grants CREATE CAST and DROP CAST. • Grants CREATE TRANSFORM and DROP TRANSFORM. • Grants CREATE TABLE for UDT columns. • Grants ability to reference any UDT in a UDF or stored procedure. • Grants ability to execute all methods. • Grants CREATE METHOD, ALTER METHOD, and REPLACE METHOD. 62 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Privilege Object (Database, User, Role, PUBLIC) UDTTYPE Can only be granted on the SYSUDTLIB database. Table, View, Function, GLOP, Method, UDT, Procedure, or Macro Not applicable. Privilege applies to all UDTs, UDMs, and UDFs contained within the SYSUDTLIB database. Effectively grants UDTUSAGE on all UDTs contained within the SYSUDTLIB database. Privilege applies to the specified UDT object. • Grants ability to access a UDT column in a table or view. • Grants CREATE TYPE and ALTER TYPE only if no method signatures are specified. • Grants DROP TYPE. • Grants CREATE ORDERING and DROP ORDERING. • Grants CREATE CAST and DROP CAST. • Grants CREATE TRANSFORM and DROP TRANSFORM • Grants CREATE TABLE for UDT columns. • Grants ability to reference any UDT in a UDF or stored procedure. • Grants ability to execute all methods. UDTUSAGE Can be granted on the following: Privilege applies to the specified UDT object. • SYSUDTLIB database. • TYPE. Privilege applies to all UDTs, UDMs, and UDFs contained within the SYSUDTLIB database. • Grants ability to access a UDT column in a table or view. • Grants ability to execute all methods associated wholly with the specified UDT, but no others. Granting Privileges on Global Temporary and Volatile Tables GRANT always applies to the base global temporary table and never to a materialized instance. Just as with permanent tables, a user must have the appropriate privileges before submitting a GRANT request. Because Teradata Database does not check privileges for volatile tables, you cannot GRANT privileges to them. SQL Data Control Language 63 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Verifying Privileges on Views, Macros, and Stored Procedures WHEN this statement is submitted … The system verifies that the creator has these privileges … CREATE MACRO any needed to perform the SQL statements in the macro body. CREATE PROCEDURE (SQL Form) any needed to perform the SQL statements in the stored procedure body. • CREATE PROCEDURE (External Form) • ALTER PROCEDURE (External Form) CREATE EXTERNAL PROCEDURE and any needed to access the specified tables, columns, and views using any of the valid API function calls. CREATE PROCEDURE … SQL SECURITY OWNER (both forms) CREATE OWNER PROCEDURE and either of the following: CREATE VIEW SELECT on the underlying base tables and views. • For the SQL form, any needed on the underlying tables, columns, and views to perform the SQL statements in the stored procedure body. • For the external form, any needed on the underlying tables, columns, and views using any of the valid API function calls. Teradata Database also verifies that the appropriate privileges exist on the target objects for any user who attempts to access a view, or perform a macro or stored procedure. This ensures that a change to a target object does not cause a violation of privileges when the view, macro, or stored procedure referencing that object is invoked. REPLCONTROL Privilege The REPLCONTROL privilege controls two separate functions: • • The ability to define and manage replication groups. See the following for more information: • “CREATE REPLICATION GROUP’ in SQL Data Definition Language • “CREATE REPLICATION RULESET” in SQL Data Definition Language • “SET SESSION OVERRIDE REPLICATION” in SQL Data Definition Language • “HELP REPLICATION GROUP” in SQL Data Definition Language The ability to perform SQL DML updates2 to replication group member tables while they are in a state that would otherwise not permit updates to be made. Be exceedingly careful when granting the REPLCONTROL privilege to a user because of the high risk to enterprise security involved. REPLCONTROL applies to all objects in the system, and a user who has been granted this privilege could create a replication group consisting of any tables defined in the system. 2. The term update here applies to any of the operations performed by the following SQL DML statements: DELETE, INSERT, MERGE, and UPDATE. 64 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) CTCONTROL Privilege CTCONTROL authorizes a user to grant or revoke the CONNECT THROUGH privilege using the GRANT CONNECT or REVOKE CONNECT statements. You can only grant CTCONTROL to specific users. The following rules apply to granting the CTCONTROL privilege: • The user specified by user_name must be an existing user of the system. Note that user_name cannot specify a role. If you attempt to grant CTCONTROL to a role, the request aborts and returns a message to the user. • User DBC can grant the CTCONTROL privilege to any other user WITH GRANT OPTION. • To submit a GRANT request for the CTCONTROL privilege to a user, you must either be user DBC or a user who has previously been granted the CTCONTROL privilege WITH GRANT OPTION. WITH GRANT OPTION permits the grantee to grant the privilege to other users. SHOW Privilege The SHOW privilege enables you to have access to database object definitions and create text without having access to the data contained by the objects on which the privilege is granted. For example, SHOW permits a user to execute HELP and SHOW requests against an object while at the same time not being able to SELECT from it. Any SQL statement that requires any privilege (such as the HELP and SHOW statements) to be executed can be granted the SHOW privilege. SHOW is an explicit privilege. Teradata Database does not grant the creator of an object this privilege automatically on the created user, database, or database object; SHOW must be granted explicitly. You must have the SHOW privilege WITH GRANT OPTION to be able to grant this privilege explicitly to other users and databases. User DBC automatically has the SHOW privilege and can grant it on dictionary tables to other users and databases. Granting Privileges on Queue Tables GRANT both the SELECT and DELETE privileges on the queue table to the user, database, role, or PUBLIC from which a user performs consume mode SELECT statements. GLOP Privileges Teradata Database does not grant any of the GLOP privileges automatically when a database or user is created. All GLOP privileges must be explicited granted, even when the privileges have been granted by a user who possesses the WITH GRANT OPTION privilege. SQL Data Control Language 65 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) There are three GLOP privileges: • CREATE GLOP enables the user to whom it is granted to perform the CREATE GLOP SET statement to create a new GLOP set. • DROP GLOP enables the user to whom it is granted to perform the DROP GLOP SET statement to drop an existing GLOP set. DROP GLOP is granted automatically to the creater and owner of a GLOP set. • GLOP MEMBER enables an external routine to access a GLOP set that is not contained within its containing user or database. Specifically, GLOP MEMBER enables the GLOP set clause referenced in the function, method, or procedure definition to use the GLOP set specified in the MEMBER OF GLOP SET clause. You can also specify the keyword GLOP by itself to signify both the CREATE GLOP and DROP GLOP privileges (see “Privilege Abbreviations” on page 53). Granting Privileges on Stored Procedures The following table describes the privileges of different types of users or grantors with respect to stored procedures-specific privileges: 66 This privilege... Is granted to... By... ALTER PROCEDURE user DBC implicitly. user DBC. CREATE PROCEDURE other users, roles, databases, or PUBLIC explicitly. • user DBC. • an owner of the user or database where the owner has this privilege WITH GRANT OPTION on itself. • a database or user having this privilege WITH GRANT OPTION on the database or user for which the privilege is being granted. ALTER EXTERNAL PROCEDURE user DBC implicitly. user DBC. other users explicitly. • user DBC. • a database or user having this privilege WITH GRANT OPTION on itself. DROP PROCEDURE all users, roles, databases, or PUBLIC explicitly. default. SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) This privilege... Is granted to... By... EXECUTE PROCEDURE or user DBC implicitly. user DBC. the creator of a stored procedure automatically. the creator. EXEC PROCEDURE Except for user DBC, owners do not implicitly have this privilege. If the immediate owner of the procedure is different from its creator, the owner does not receive this privilege automatically. other users, roles, databases, and PUBLIC explicitly. • user DBC. • an owner of the user or database where the owner has this privilege WITH GRANT OPTION on itself. • a database or user having this privilege WITH GRANT OPTION on the database or user for which the privilege is being granted. External stored procedures (see “CREATE PROCEDURE (External Form)/REPLACE PROCEDURE (External Form)” in SQL Data Definition Language for a description of external stored procedures) also require the ALTER EXTERNAL PROCEDURE and CREATE EXTERNAL PROCEDURE (see “CREATE EXTERNAL PROCEDURE Privilege” on page 68) privileges. You need the ALTER EXTERNAL PROCEDURE privilege to be able to perform the ALTER PROCEDURE (External Form) statement (see “ALTER PROCEDURE (External Form)” in SQL Data Definition Language). The ALTER PROCEDURE (External Form) statement provides the ability to recompile existing external stored procedures. The intent of the ALTER EXTERNAL PROCEDURE privilege is to give DBAs the ability to change the execution mode or to recompile an existing external stored procedure in situations where the current library is corrupt or the system has been reloaded. Do not grant this privilege to any user other than a DBA. This privilege permits DBAs to use ALTER PROCEDURE (External Form) requests to change the execution mode for a particular external stored procedure to execute either directly in unprotected mode (EXECUTE NOT PROTECTED) or as a separate process in protected mode (EXECUTE PROTECTED). ALTER EXTERNAL PROCEDURE is not an automatic privilege for a user when you create a database or user. Instead, the DBA retains the privilege (initially, only user DBC holds the privilege implicitly) and assigns it judiciously only for external stored procedures that are completely debugged and production-certified, so can have their execution mode changed from EXECUTE PROTECTED to EXECUTE NOT PROTECTED (see “ALTER PROCEDURE (External Form)” in SQL Data Definition Language). Do not grant users the ability to perform the ALTER PROCEDURE (External Form) statement without carefully weighing the pros and cons, because doing so could easily compromise the integrity of the system if the privilege is misused (also see “CREATE EXTERNAL PROCEDURE Privilege” on page 68). SQL Data Control Language 67 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) You can grant the ALTER EXTERNAL PROCEDURE privilege on either a specific external stored procedure or to an entire database or user. Stored Procedure-SpecificPrivileges The following rules apply to privileges specific to stored procedures: • CREATE PROCEDURE and CREATE EXTERNAL PROCEDURE are database- or user-level privilege only. • ALTER PROCEDURE, ALTER EXTERNAL PROCEDURE, DROP PROCEDURE, and EXECUTE PROCEDURE are allowed on databases, users, or specified stored procedures. • DROP and EXECUTE can be used as abbreviations for DROP PROCEDURE and EXECUTE PROCEDURE while granting privileges, if you specify the object type PROCEDURE as a qualifier for the stored procedure name. The following happens if PROCEDURE is not specified before the object name: IF the request is... THEN... GRANT EXECUTE the object is assumed to be a macro. If no macro of that name exists, an error or failure is returned. GRANT DROP an error or failure is returned. CREATE EXTERNAL PROCEDURE Privilege Do not grant the CREATE EXTERNAL PROCEDURE privilege to any user unless they are explicitly assigned to code an external procedure for your site. Even then, you should restrict this privilege to only your most trusted programmers. You must also ensure that the external procedure, once written, is thoroughly tested to verify that it does not compromise the system in any way. The system does not grant the CREATE EXTERNAL PROCEDURE privilege automatically when you create a user or database. Nor is CREATE EXTERNAL PROCEDURE granted on a database unless an owner explicitly has this privilege on itself WITH GRANT OPTION. Note: This functionality is different from the CREATE MACRO privilege, where the system grants CREATE MACRO automatically when you create a database or user, as well as the privilege held implicitly by an owner. External stored procedures execute as part of the system when running in unprotected mode (see “CREATE PROCEDURE (External Form)/REPLACE PROCEDURE (External Form)” in SQL Data Definition Language), while protected mode external stored procedures run in a separate process as an ordinary user named tdatuser. Teradata Database is configured as a trusted user or system user. This means that on a UNIX-based system, for example, it has all of the privileges of the root user. For Windows-based systems, Teradata Database runs in system mode. This means it can access and modify any file on the local set of disks even if the file is protected or read only. There is no way to protect the system from a malicious user who has been granted these privileges. 68 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Granting Privileges on User-Defined Functions The rules for granting privileges on user-defined functions are identical to those for macros except for the CREATE FUNCTION and EXECUTE FUNCTION privileges, as documented in the following table, which explains which user-defined function-related privileges are granted explicitly or not: Privilege Usage Notes ALTER FUNCTION • Not granted automatically to the creator when it creates a database or user. • Not granted automatically to a database or user when it creates a database or user. • Held implicitly only by user DBC. CREATE FUNCTION • Not granted automatically to the creator when it creates a database or user. • Held implicitly only by user DBC. DROP FUNCTION • Granted automatically WITH GRANT OPTION to the creator of a user, database, or function. • Granted automatically without grant option to a created database or user on itself. • Held implicitly on a database or user for an owner of that database or user. EXECUTE FUNCTION • Granted automatically WITH GRANT OPTION to the creator of a function. • Not granted automatically to the creator to the creator when it creates database or user. • Held implicitly only by user DBC. Furthermore, all newly created user-defined functions are performed in protected mode by default (see “ALTER FUNCTION” in SQL Data Definition Language).3 The ALTER FUNCTION privilege should be restricted to DBAs exclusively. Its intent is to permit a user to perform the ALTER FUNCTION statement, which can be used to change the execution mode of a UDF. Changing the execution mode for a user-defined function from PROTECTED to NOT PROTECTED, for example, is not an act that should be performed without exercising extreme caution. 3. This is also true for all newly created methods and external stored procedures. See “ALTER METHOD” in SQL Data Definition Language and “ALTER PROCEDURE” in SQL Data Definition Language, respectively. SQL Data Control Language 69 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) CREATE FUNCTION Privilege Caution: UDFs execute as part of the database software, which is defined as a trusted user or system user. For example, on UNIX-based systems, the database has all the privileges of the root user, while on Windows-based systems, it runs in system mode, which means it can access and modify any file on the local disks even if they are protected or read-only. As a result, improperly debugged or maliciously written user-defined functions can wreak havoc on your databases. Because of this, you should grant the CREATE FUNCTION privilege with particular care, providing it only to trusted users who are coding UDFs. If you are granted the CREATE FUNCTION privilege on a database or user, then any function you create in that database or user has the following privileges WITH GRANT OPTION on that function by default: • DROP FUNCTION • EXECUTE FUNCTION DROP FUNCTION Privilege You must specify DROP FUNCTION to grant that privilege on a database object. If you are granting the privilege on a particular UDF only, then you can specify DROP without also specifying the FUNCTION keyword. When creators have WITH GRANT OPTION on a function, they can grant the following privileges to another user on that function: • DROP FUNCTION • EXECUTE FUNCTION Notice that by holding the DROP FUNCTION privilege on a function, a user can also replace that function. If that user drops the function, however, they cannot replace it at a later time without also being granted the CREATE FUNCTION privilege. EXECUTE FUNCTION Privilege You must specify EXECUTE FUNCTION to grant that privilege on all functions in a database. For example, the following GRANT statement grants the EXECUTE privilege on all functions in SYSLIB: GRANT EXECUTE FUNCTION ON SYSLIB TO user_xyz; You need only specify EXECUTE to grant the EXECUTE FUNCTION privilege on an individual UDF. For example, the following GRANT statement grants the EXECUTE privilege only on the function with the specific function name sales to user_xyz: GRANT EXECUTE ON SPECIFIC FUNCTION SYSLIB.sales TO user_xyz; UDT-Related Privileges Initially, only user DBC has UDT privileges on SYSUDTLIB, which DBC holds implicitly. Any other user or role must be explicitly granted UDT privileges on SYSUDTLIB in order to execute SQL statements that involve UDTs. 70 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) There are three UDT-related privileges: • UDTMETHOD (see “UDTMETHOD Privilege” on page 73). UDTMETHOD allows a user to use, create, drop, or modify any UDT and its methods without restriction. You can only grant this privilege at the database level, specifically on the SYSUDTLIB database: there are no UDT object-level privileges for UDTMETHOD. • UDTTYPE (see “UDTTYPE Privilege” on page 73). UDTTYPE allows a user to create, alter and drop UDTs in addition to the privileges UDTUSAGE permits. You can only grant this privilege at the database level: there are no UDT object-level privileges for UDTTYPE. • UDTUSAGE (see “UDTUSAGE Privilege” on page 72). UDTUSAGE allows a user to execute all SQL statements that reference existing UDTs and their existing methods. This means that a user with the UDTUSAGE privilege on a particular UDT can perform the following operations: • Create a new table that is defined with a column having that UDT type. • Alter an existing table that is defined with a column having that UDT type. • Reference that UDT in a query, UDF, or stored procedure. • Execute all methods that are associated wholly with the UDT type. Methods that involve additional UDTs require you to have the UDTUSAGE privilege on any such UDTs as well. UDTUSAGE does not permit a user to perform any of the following operations: • Create new UDTs. • Drop existing UDTs. • Alter the ordering, casting, or transform behavior of existing UDTs. • Create new methods. • Drop or replace existing methods. Unlike UDTMETHOD and UDTTYPE, you can grant UDTUSAGE on either a specific UDT (as TYPE UDT_name) or on the entire SYSUDTLIB database. ALL PRIVILEGES and UDTs When you specify ALL PRIVILEGES on the SYSUDTLIB database, the system grants the UDTMETHOD privilege along with the other privileges ALL PRIVILEGES provides, assuming the creator has the privilege WITH GRANT OPTION. A user who is granted UDTMETHOD via the ALL PRIVILEGES path WITH GRANT OPTION can then grant others the UDTUSAGE, UDTTYPE, or UDTMETHOD privileges, optionally also with the WITH GRANT option. SQL Data Control Language 71 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) UDTUSAGE Privilege The UDTUSAGE privilege allows a user to use a UDT in a table or view and to execute all methods associated wholly with that UDT. They cannot create or delete UDTs, create, alter, or delete methods, or alter the behavior of a UDT with respect to ordering, casting, or transform functionality. You can grant UDTUSAGE at either the database or UDT object level. IF granted at this level … UDTUSAGE must be granted on the … database SYSUDTLIB database only. UDT object name of the UDT. A user with the UDTUSAGE privilege on a specific UDT can perform the following statements and operations: • CREATE TABLE or ALTER TABLE for tables that contain columns that use that UDT. • Reference that UDT in queries, UDFs, and stored procedure that reference the UDT. • Execute all methods associated wholly with the UDT. Methods that involve other UDTs also require the UDTUSAGE privilege on those UDTs. With regard to nested structured UDTs, be aware that privileges are not automatically inherited from their parents. For example, if you have been granted UDTUSAGE on a top-level structured UDT attribute, you can then specify a column with that type in a create table operation. However, that privilege does not grant you the ability to use observer or mutator methods on any of the structured attributes in the lower layers of that UDT, nor can you invoke any of the methods defined for those lower layered attributes. To enable that sort of access, you must grant UDTUSAGE explicitly on each individual UDT component of the nested UDT type or grant UDTUSAGE explicitly on the SYSUDTLIB database. UDTUSAGE is not an automatically granted privilege. A user must either be granted this privilege explicitly or acquire it through a role. Users who are granted UDTUSAGE WITH GRANT option can then grant others the UDTUSAGE privilege, optionally with the WITH GRANT option privilege. UDTUSAGE is represented by the code UU in the AccessRight column of the DBC.AccessRights table. User DBC has implicit UDT privileges on the SYSUDTLIB database. Any other user or role that needs to access the UDT-related objects in SYSUDTLIB must first be granted the appropriate UDT privileges on SYSUDTLIB or a specific UDT in the SYSUDTLIB database explicitly. 72 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) UDTTYPE Privilege The UDTTYPE privilege gives a user all the privileges associated with UDTUSAGE as well as permitting that user to execute all SQL statements that reference UDTs without creating new methods or dropping or replacing existing methods. A user with the UDTTYPE privilege can perform the following statements and operations: • CREATE TYPE without specifying method signatures. • DROP TYPE. • ALTER TYPE without adding or dropping method signatures. • CREATE ORDERING and DROP ORDERING. • CREATE CAST and DROP CAST. • CREATE TRANSFORM and DROP TRANSFORM. • CREATE TABLE with UDT columns. • Reference any UDT in an SQL statement, UDF, or stored procedure. • Perform all methods. The specified database_name in the ON clause must be SYSUDTLIB. UDTTYPE is not an automatically granted privilege. A user must either be granted this privilege or acquire it through a role. Users who are granted UDTTYPE WITH GRANT OPTION can then grant others either the UDTUSAGE or UDTTYPE privilege, optionally with the WITH GRANT option privilege. UDTTYPE is represented by the code UT in the AccessRight column of the DBC.AccessRights table. UDTMETHOD Privilege The UDTMETHOD privilege allows a user to use any UDT and its methods without any restrictions. Its functionally includes both of the following privileges: • UDTUSAGE on all UDTs in the SYSUDTLIB database. • UDTTYPE on the SYSUDTLIB database. A user with the UDTMETHOD privilege can perform the following statements and operations: • CREATE TYPE with or without specifying method signatures. • DROP TYPE. • ALTER TYPE with or without adding or dropping method signatures. • CREATE ORDERING and DROP ORDERING. • CREATE CAST and DROP CAST. • CREATE TRANSFORM and DROP TRANSFORM. • CREATE TABLE with UDT columns. SQL Data Control Language 73 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) • Reference any UDT in an SQL statement, UDF, or stored procedure. • Execute all methods. • CREATE METHOD and ALTER METHOD and REPLACE METHOD. The specified database_name in the ON clause must be SYSUDTLIB. UDTMETHOD is not an automatically granted privilege. A user must either be granted this privilege explicitly, acquire it through ALL PRIVILEGES, or acquire it through a role. Users who are granted UDTMETHOD WITH GRANT OPTION can then grant others the UDTUSAGE, UDTTYPE, or UDTMETHOD privilege, optionally with the WITH GRANT option. UDTMETHOD is represented by the code UM in the AccessRight column of the DBC.AccessRights table. Caution: UDMs execute as part of the database software, which is defined as a trusted user or system user. For example, on UNIX-based systems, the database has all the privileges of the root user, while on Windows-based systems, it runs in system mode, which means it can access and modify any file on the local disks even if they are protected or read-only. As a result, improperly debugged or maliciously written user-defined methods can wreak havoc on your databases. Because of this, you should grant the UDTMETHOD privilege with particular care, providing it only to trusted users who are coding UDT-related database objects. Granting Privileges to Roles Roles define privileges on database objects. A database administrator can create different roles for different job functions and responsibilities, grant specific privileges on database objects to the roles, and then grant membership to the roles to users. Users who are members of a role can access all the objects for which the role has privileges. A role that has roles granted to it cannot be granted to a role. Roles cannot be granted the CREATE DATABASE, CREATE ROLE, CREATE PROFILE, CREATE USER, DROP DATABASE, DROP ROLE, DROP PROFILE, or DROP USER privileges. Roles cannot be granted on a database or PUBLIC. To grant role membership to users or other roles, use the GRANT (Role Form) statement. For more information, see “GRANT (Role Form)” on page 38. Case Study: Granting SELECT on a View Assume Allen creates two objects: a table named Allen.BaseTable, and a view on that table named Allen.ViewA. The system verifies that Allen has SELECT privilege on Allen.BaseTable when ViewA is created. Also assume Allen grants the SELECT privilege on ViewA to Bobby. Bobby then creates Bobby.ViewB, which references Allen.ViewA. The Parser verifies that Bobby has SELECT privilege on Allen.ViewA when Bobby.ViewB is created. 74 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) The following stages summarize this process: 1 Allen creates the base table Allen.BaseTable. 2 Allen creates the view Allen.ViewA that references Allen.BaseTable. He has the SELECT privilege on Allen.BaseTable. 3 Allen grants the SELECT privilege on Allen.ViewA to Bobby. 4 Bobby creates Bobby.ViewB that references Allen.ViewA. Bobby has the SELECT privilege on Allen.ViewA. 5 End of process. Bobby now wants to grant the SELECT privilege on Bobby.ViewB to Chuck. Bobby can grant the privilege to Chuck, but Chuck cannot use the views in a query unless Allen grants Bobby the SELECT privilege on Allen.ViewA WITH GRANT OPTION. The same privilege is required when a macro references an object owned by a user other than its creator. For example, assume that the macro Bobby.MacroB deletes rows from Allen.ViewA. Other users cannot execute Bobby.MacroB unless Bobby has the EXECUTE privilege WITH GRANT OPTION on Bobby.MacroB. Case Study: More on Views Assume that the view Bobby.ViewB references the view Allen.ViewA, which in turn references Allen.BaseTable. When Bobby enters the following statement, the system checks that the privileges in the table following the statement exist. GRANT INSERT, DELETE ON Bobby.ViewB TO Chuck; The following stages explain this process: 1 Bobby has INSERT WITH GRANT OPTION on Bobby.ViewB or on himself. 2 Bobby has DELETE WITH GRANT OPTION on Bobby.ViewB or on himself. 3 End of process. Unless revoked, Bobby has these privileges on Bobby.ViewB explicitly because they were granted to him automatically when he created the view. Bobby also had these privileges on himself because they were granted explicitly when user Bobby was created. Because Bobby owns Bobby.ViewB, he also has these privileges implicitly. Implicit privileges cannot be revoked. For any other type of privilege, however, the system might not find one or more of the necessary privileges. In this case, the system returns an error message to the user submitting the GRANT statement and the statement is not performed. SQL Data Control Language 75 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) The breakdown of privilege types for this example is as follows: FOR this category of privilege … THIS individual … HAS this privilege … ON this object … Automatic Bobby INSERT WITH GRANT OPTION Bobby.ViewB DELETE WITH GRANT OPTION Allen INSERT WITH GRANT OPTION Allen.BaseTable DELETE WITH GRANT OPTION Explicit Bobby INSERT WITH GRANT OPTION Allen.ViewA DELETE WITH GRANT OPTION Case Study: Stored Procedures Assume that user_1 is to be granted CREATE PROCEDURE privilege on the accounting database. Assume that the grantor is an owner of the database and that she has the explicit CREATE PROCEDURE and EXECUTE PROCEDURE privileges WITH GRANT OPTION on herself.4 The following GRANT request must be submitted so that user_1 can create procedures in the accounting database: GRANT CREATE PROCEDURE ON accounting TO user_1; To grant CREATE PROCEDURE, DROP PROCEDURE, and EXECUTE PROCEDURE privileges to user_1 on all stored procedures in the accounting database, submit the following GRANT request: GRANT CREATE PROCEDURE, EXECUTE PROCEDURE, DROP PROCEDURE ON accounting TO user_1; If the keyword PROCEDURE is specified without CREATE or DROP in a GRANT request, it confers both CREATE PROCEDURE and DROP PROCEDURE privileges (at the user or database level). The following example assumes that the grantor has the privileges required to grant CREATE PROCEDURE and DROP PROCEDURE privileges to user_1 on the accounting database: GRANT PROCEDURE ON accounting TO user_1; 4. This grant cannot be made unless one of the following is true: • The grantor has both the CREATE PROCEDURE and EXECUTE PROCEDURE privileges WITH GRANT OPTION on itself and on the user or database WITH GRANT OPTION. • The grantor is user DBC. 76 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Assume that user_1 needs to be granted EXECUTE PROCEDURE privilege WITH GRANT OPTION on the stored procedure daily_updates in the database accounting. Assume that the grantor has the EXECUTE PROCEDURE WITH GRANT OPTION privilege on the stored procedure or its containing database. The following GRANT request needs to be submitted: GRANT EXECUTE ON PROCEDURE accounting.daily_updates TO user_1 WITH GRANT OPTION; This request can also be specified using the following syntax: GRANT EXECUTE PROCEDURE ON accounting.daily_updates TO user_1 WITH GRANT OPTION; Note that the following GRANT request returns an error because the syntax is valid only for macros, and daily_update is not a macro: GRANT EXECUTE ON accounting.daily_update TO user_1 WITH GRANT OPTION; To grant ALTER PROCEDURE, EXECUTE PROCEDURE, and DROP PROCEDURE privileges to user_1 on the stored procedure weekly_update, the necessary GRANT request looks like either of these requests, assuming the grantor has the privileges to perform the grant: GRANT ALTER PROCEDURE, EXECUTE, DROP PROCEDURE ON PROCEDURE weekly_update TO user_1; GRANT ALL ON PROCEDURE accounting.weekly_update TO user_1;. Example 1: Granting Privileges to a Group of Users The following request grants privileges to a group of users. In this example, all users created under the finance database are granted the privilege to SELECT data from the department table, which is in the personnel database: GRANT SELECT ON personnel.department TO ALL finance; Example 2: Granting Privileges to PUBLIC The PUBLIC keyword (see “PUBLIC Privileges” on page 27) grants privileges to all existing and future Teradata Database users: GRANT SELECT ON personnel.department TO PUBLIC; SQL Data Control Language 77 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Example 3: Granting SELECT on Any Object The following statement allows Moffit to retrieve information from any object in the personnel database: GRANT SELECT ON personnel TO moffit; Example 4: Granting SELECT, INSERT, UPDATE, and DELETE on Any Object The following statement allows Peterson to perform selects, inserts, updates, and deletes on any object in the personnel database: GRANT SELECT, INSERT, UPDATE, DELETE ON personnel TO peterson; Example 5: Granting CREATE and DROP On Users in a Database The following statement allows Phan to create and drop users in the personnel database: GRANT USER ON personnel TO phan; Example 6: Using GRANT SELECT TO ALL The following statement allows all current and future users created under the personnel database to select data from the department table: GRANT SELECT ON personnel.department TO ALL personnel; Example 7: Using WITH GRANT OPTION WITH GRANT OPTION applies to the indicated privileges only. In this example, user George grants all privileges that he has on his own user space to user Marston with the following restrictions: • George can grant only those privileges for which he has WITH GRANT OPTION at the user level. • George must have the WITH GRANT OPTION privilege on the privileges he grants to Marston. GRANT ALL ON marston TO marston WITH GRANT OPTION; 78 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Example 8: Using CREATE ROLE and DROP ROLE The following request allows user Franklin to create and drop roles: GRANT ROLE TO Franklin; Notice that this form does not have an ON clause. If you specify an ON clause for the role privilege, the system returns an error. Example 9: Granting Privileges to a Role The following request grants privileges to a role. In this example, the finance role is granted the privilege to SELECT data from the department table, which is in the personnel database: GRANT SELECT ON personnel.department TO Finance; All users who are granted membership to the finance role also inherit the privilege to SELECT data from the department table in the personnel database when the role is activated for the user. Example 10: Granting Privileges Related to Triggers The following request grants CREATE TRIGGER and DROP TRIGGER privileges to user TrigUser for any table in database TrigDB: GRANT CREATE TRIGGER, DROP TRIGGER ON TrigDB TO TrigUser; The following request grants CREATE TRIGGER and DROP TRIGGER privileges to user TrigUser for TrigTable as the subject table. GRANT CREATE TRIGGER, DROP TRIGGER ON TrigTable TO TrigUser; You can also grant the same privileges as in the previous requests using the short form TRIGGER to mean both CREATE TRIGGER and DROP TRIGGER. For example: GRANT TRIGGER ON TrigDB TO TrigUser; GRANT TRIGGER ON TrigTable TO TrigUser; SQL Data Control Language 79 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Example 11: Granting Privileges on a Function The following GRANT requests grant the following respective privileges: • ALTER FUNCTION on the specific function find_text to users named user_dba and user_in_house. • ALTER FUNCTION on all UDFs in the SYSLIB database to user_dba. • CREATE FUNCTION on the database document_db to user_dba. • EXECUTE FUNCTION on the overloaded function text_process to user sammy. GRANT ALTER FUNCTION ON SPECIFIC FUNCTION find_text TO user_dba, user_in_house; GRANT ALTER FUNCTION ON syslib TO user_dba; GRANT CREATE FUNCTION ON document_db TO user_dba, user_in_house; GRANT EXECUTE ON FUNCTION text_process(CHAR,CHAR,INTEGER) TO sammy; Example 12: Granting the CREATE EXTERNAL PROCEDURE Privilege The following example grants user asst_dba the privilege to create an external stored procedure: GRANT CREATE EXTERNAL PROCEDURE ON PROCEDURE classify TO asst_dba; Example 13: Granting the UDTUSAGE Privilege The following GRANT request grants the following respective privileges: • UDTUSAGE on the SYSUDTLIB database to the user named tester1. • UDTUSAGE on the UDT named circle to the user named tester3. • UDTUSAGE on the UDT named square in database SYSUDTLIB to the user named tester4. GRANT UDTUSAGE ON SYSUDTLIB TO tester1; GRANT UDTUSAGE ON TYPE circle TO tester3; GRANT UDTUSAGE ON TYPE SYSUDTLIB.square TO tester4; 80 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) Example 14: Granting the UDTTYPE Privilege The following GRANT request grants the UDTTYPE privilege on database SYSUDTLIB to the user named tester2: GRANT UDTTYPE ON SYSUDTLIB TO tester2; Example 15: Granting the UDTMETHOD Privilege The following GRANT requests grant the following respective privileges: • UDTMETHOD on SYSUDTLIB to the user named user_DBA with grant option. • UDTMETHOD on SYSUDTLIB to the role named developer_role. GRANT UDTMETHOD ON SYSUDTLIB TO user_DBA WITH GRANT OPTION; GRANT UDTMETHOD ON SYSUDTLIB TO developer_role; Example 16: Granting the REPLCONTROL Privilege The following example grants user s_barroso the privilege to create, alter, and drop replication groups. GRANT REPLCONTROL TO s_barroso; Example 17: Granting the CTCONTROL Privilege The following example grants user kate the privilege to grant the CONNECT THROUGH privilege to user trusteduser2: GRANT CTCONTROL ON trusteduser2 TO kate; To then execute a GRANT CONNECT THROUGH request (see “GRANT CONNECT THROUGH” on page 83), trusteduser2 requires the following privileges: • CTCONTROL on herself. • GRANT … WITH ADMIN OPTION on any role specified (see “GRANT (Role Form)” on page 38. • DROP USER on any PERMANENT users specified as proxy users. Example 18: Granting GLOP Privileges The enterprise wants the sales_bonus UDF to access the special sales GLOP. User Joe creates both the UDF and the GLOP in SYSLIB. The following requests must be executed to make this happen: SQL Data Control Language 81 Chapter 2: SQL Data Control Language Statement Syntax GRANT (SQL Form) A user WITH GRANT OPTION must execute the following GRANT request: GRANT GLOP ON syslib TO Joe; Assuming that Joe already has privileges to create a function in SYSLIB, Joe then executes the following requests: Joe creates the GLOP set object first to enable a GLOP to be added. CREATE GLOP SET syslib.sales; Joe then calls the procedure GLOP_Add to add the sales GLOP and associates it with SYSLIB. CALL DBCExtension.GLOP_Add('syslib.sales',...); Finally, Joe creates the function sales_bonus in SYSLIB. CREATE FUNCTION syslib.sales_bonus( … ) RETURNS DECIMAL(6,2) LANGUAGE C MEMBER OF GLOP SET syslib.sales PARAMETER STYLE SQL EXTERNAL; SYSLIB is a public database. For this reason, the Security Administrator instead decides to place the sales GLOP in the finance database, and to make the Finance department responsible for creating the GLOP data. She also wants the UDF to be contained within the finance database. The following requests must be executed to make this happen: A user WITH GRANT OPTION must execute the following GRANT request: GRANT GLOP ON finance TO finance; User finance must then execute the following requests: CREATE GLOP SET sales; CALL DBCExtension.GLOP_Add('sales', … ); GRANT GLOP MEMBER ON finance.sales TO finance; User Joe creates the function in the finance database. Joe must first be granted the privilege to create the UDF in the finance database by someone with the privileges to enable him to do that: CREATE FUNCTION finance.sales_bonus( … ) RETURNS DECIMAL(6,2) LANGUAGE C MEMBER OF GLOP SET finance.sales PARAMETER STYLE SQL EXTERNAL; Related Topics See “REVOKE (SQL Form)” on page 107 for information about revoking privileges granted by the SQL form of GRANT. 82 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT CONNECT THROUGH GRANT CONNECT THROUGH Purpose Grants the privilege to connect as a proxy permanent or proxy application user through the specified trusted user, storing the information in DBC.ConnectRulesTbl. The statement grants the specified trusted user the privilege to: • Connect as the specified permanent or application user. • Set roles for the specified permanent or application user. The specified trusted user is granted the privilege to assert the identity of the proxy user names specified in its defining SET QUERY_BAND request (see “SET QUERY_BAND” in SQL Data Definition Language). Syntax trusted_user_name GRANT CONNECT THROUGH , A , PERMANENT , 25 application_user_name A TO WITH ROLE 15 role_name , 25 permanent_user_name WITH ROLE 15 ; role_name WITHOUT ROLE 1101A54 where: Syntax element … Specifies … trusted_user_name the name of the user receiving the CONNECT THROUGH privilege. trusted_user_name must be the name of a permanent user who is already defined in Teradata Database, but cannot be user DBC. This grants the specified trusted user the privilege to assert the identity of the specified proxy user names. Note that trusted_user_name should not identify an end user. Its intent is to identify a middle-tier application such as a CRM application or Viewpoint. SQL Data Control Language 83 Chapter 2: SQL Data Control Language Statement Syntax GRANT CONNECT THROUGH Syntax element … Specifies … application_user_name the name of an application user to whom the proxy logon privilege is to be granted through trusted_user_name. Application user names can be specified any time that creating a permanent user for every end user of a middle tier application would not be manageable. Application user names are not defined in Teradata Database, but they must follow Teradata object naming conventions. An application user name can be anything that represents the client connecting to the middle tier, such as a client name or an ATM identifier. application_user_name must be unique for the specified trusted_user_name (see “Application Proxy Users” on page 88). You can specify a maximum of 25 application user names per GRANT CONNECT THROUGH request, but there is no limit to the number of application user names that can be granted logon privileges to a trusted user. The system adds the names you specify to the CONNECT THROUGH privileges for trusted_user_name. Note that you must specify at least one role in the WITH ROLE clause for each application proxy user that you specify. permanent_user_name the name of a permanent user to whom the proxy logon privilege is to be granted through trusted_user_name. permanent_user_name must be the name of a permanent Teradata Database, but cannot be user DBC. permanent_user_name must be unique for the specified trusted_user_name (see “Permanent Proxy Users” on page 88). You can specify a maximum of 25 names per GRANT CONNECT THROUGH request, but there is no limit to the number of permanent user names that can be granted logon privileges to a trusted user. The system adds the names you specify to the CONNECT THROUGH privileges for trusted_user_name. 84 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT CONNECT THROUGH Syntax element … Specifies … WITH ROLE role_name a set of role names to be assigned to the proxy connection. The string you specify for role_name must be the name of an internal role that is already defined in Teradata Database.a In this context, ALL, NONE, and NULL are not valid role names. You must specify at least one role name for application proxy users, while you can specify WITHOUT ROLE for permanent proxy users. You can specify a maximum of 15 role names per proxy user. Unlike the maxima for permanent and application user names, this is an absolute maximum per proxy user, not a per request maximum. If a CONNECT THROUGH privilege already exists for the specified trusted_user:permanent_user or trusted_user:application_user name pair, the system adds the roles you specify to the existing CONNECT THROUGH privilege. Note that changes to a CONNECT THROUGH privilege are effective immediately, so the next request submitted in a proxy connection following a change to a CONNECT THROUGH privilege picks up the new privilege definition. Be aware that when roles are dropped, they are removed from the CONNECT THROUGH privilege definition, so a rule can be left with no roles defined for it. When proxy users who have privileges that were set with the WITH ROLE clause, but later have those roles dropped, Teradata Database grants them PUBLIC privileges only. If the addition of new roles causes the number of roles assigned to the privilege to exceed 15, the request aborts and the system returns an error to the requestor. If this happens, you can submit an appropriate REVOKE CONNECT request to remove one or more roles from the privilege. See “REVOKE CONNECT THROUGH” on page 124 for information about how to use this statement. either by default or when the proxy connection sets PROXYROLE=ALL, the system activates all of the role names specified in the WITH ROLE clause. If a proxy connection specifies PROXYROLE=role_name, the specified role name must be one of the roles specified by the WITH ROLE clause of the current request. Teradata Database then sets the role for the proxy connection to this role. Note that you cannot specify either WITH ROLE NONE or WITH ROLE NULL. WITHOUT ROLE to assign the privileges and roles of the specified permanent user to the CONNECT THROUGH privilege. You cannot specify the WITHOUT ROLE option for application users. a. An internal role is a role that is managed by Teradata Database, as opposed to an external role, which is directory-managed. See “CREATE ROLE” in SQL Data Definition Language. ANSI Compliance GRANT CONNECT THROUGH is a Teradata extension to the ANSI SQL:2008 standard. SQL Data Control Language 85 Chapter 2: SQL Data Control Language Statement Syntax GRANT CONNECT THROUGH Required Privileges You must have the CTCONTROL privilege (see “CTCONTROL Privilege” on page 65) to perform a GRANT CONNECT THROUGH request. You must also have the WITH ADMIN OPTION privilege on each of the roles specified in the WITH ROLE clause of the request. You must have the DROP USER privilege on each of the users specified as PERMANENT proxy users. About the GRANT CONNECT Privilege The following facts and rules apply to Teradata trusted sessions. • Do not use trusted sessions with applications that permit end users to submit or modify SQL requests sent to Teradata Database. • The GRANT CONNECT THROUGH statement is a special version of the SQL form of the GRANT statement (see “GRANT (SQL Form)” on page 41). Its purpose is to grant the CONNECT THROUGH privilege to the specified permanent user or application user through the specified trusted user. These terms are defined as follows: Term Application user Definition The name of an application user to which the GRANT CONNECT proxy logon privilege is to be granted. Application user names are not defined in Teradata Database, but they must follow Teradata object naming conventions. You can specify up to 25 names in a single grant request. The specified names are then added to the grant privileges for the specified trusted user. There is no limit to the number of application user names that can be granted logon privileges to a single trusted user. Permanent user A user who is defined to Teradata Database. In a GRANT CONNECT THROUGH request, this is the name of a user to whom the proxy logon privilege is to be granted. There is no limit to the number of permanent users who can be granted logon privileges to a trusted user. Trusted user A permanent user, previously defined to Teradata Database, who receives the CONNECT THROUGH privilege by means of a GRANT CONNECT THROUGH request. This grants the trusted user the ability to assert the identity of the proxy user specified in the GRANT CONNECT THROUGH request. • Application and permanent users are collectively referred to as proxy users. A proxy user is any user who connects to Teradata Database using the session of a trusted user. 86 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT CONNECT THROUGH • A proxy connection is a connection to Teradata Database in which the user validated for privileges and logging is a proxy user who uses the privileges that are assigned to it. All other session-level attributes are those set for the trusted user such as the user name that actually logged onto Teradata Database, the account name, and spool and temporary space allocations. • Performance management APIs such as MonitorSession and AbortSession identify sessions by their trusted user name. • The system enforces Teradata Active System Management rules for trusted users, but not for proxy users. • A session has a value for each of the following columns. The same values are used for the session whether it has a proxy connection or not. • • • • • • • • UserName UserId Account Role Profile DefaultDatabase • • • • • • TimeZone DateForm CharType Collation Transaction Isolation Level UDF Function Trace • • • • • Replication Override ProxyUser ProxyUserId ProxyRole ProxyRoleId WHEN the proxy user is … THEN the creator of all objects created in a proxy connection is the … a permanent user permanent user. an application user trusted user. The following built-in functions return information about the proxy connection-related session values. See SQL Functions, Operators, Expressions, and Predicates for details. • USER returns the name of the trusted user for the session. • CURRENT_USER returns the proxy user name if the user is in a proxy connection; otherwise, CURRENT_USER returns the session user name. • ROLE returns the current role name for the trusted user. • CURRENT_ROLE returns the proxy user current role if the user is in a proxy connection; otherwise, it returns the trusted user role name. If logon restrictions have been set, such as restricting logons by IP address, the system enforces them only for the trusted user logon. Such restrictions are not enforced when a proxy username is asserted for the session. SQL Data Control Language 87 Chapter 2: SQL Data Control Language Statement Syntax GRANT CONNECT THROUGH Application Proxy Users An application proxy user name can be anything that represents the client connection with the middle tier application, such as a client name or an ATM identifier. The granularity of application proxy users is largely at your discretion. For example, the term ATM identifier could refer to granularities as different as an identifier for an individual ATM in an ATM network or an identifier for an individual user of any of the ATMs in the network. The roles that can be active in a proxy connection are those defined in the CONNECT THROUGH privilege at the time the proxy connection is made. You cannot have duplicate application and permanent proxy user names for the same trusted user. For example, consider the following GRANT CONNECT THROUGH requests submitted in the order indicated: GRANT CONNECT THROUGH msi TO sbd WITH ROLE finance_role; GRANT CONNECT THROUGH msi TO sbd WITH ROLE hr_role; The second request returns a duplicate proxy user name error because the application proxy user named sbd already exists as granted through trusted user msi. You must specify at least one role in the WITH ROLE clause for each application proxy user. The following rules apply to the roles assigned to application proxy users: • Only roles that are defined in the CONNECT THROUGH privilege at the time a proxy connection is made can be active in that connection. All role names specified in the WITH ROLE clause are active in the proxy connection by default. • The specified roles are the only roles that can be set for the proxy connection. • You cannot set the current role in the proxy connection to NONE or NULL. • The privileges for the proxy connection are those for its active roles and PUBLIC. Permanent Proxy Users A permanent proxy user is an existing permanent user who is defined to Teradata Database. A GRANT CONNECT THROUGH request validates that a permanent proxy user who is specified in that request exists in Teradata Database. The anticipated use of permanent proxy users is for intranet-type middle tier applications that, for example, might display employee pay stubs or information about available vacation time. Teradata Database assigns the name of the permanent proxy user as the creator of any objects created while the proxy connection is in effect. You cannot have duplicate application and permanent proxy user names for the same trusted user. For example, consider the following GRANT CONNECT THROUGH requests submitted in the order indicated: GRANT CONNECT THROUGH crm TO PERMANENT mary; GRANT CONNECT THROUGH crm TO mary WITH ROLE hr_role; 88 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT CONNECT THROUGH The second request returns a duplicate proxy user name error because the permanent proxy user named mary already exists as granted through trusted user crm. All roles specified in a WITH ROLES clause are active in a proxy connection by default. Note, however, that changes to a CONNECT THROUGH privilege definition are effective immediately, so the next request submitted in a proxy connection following a change to a CONNECT THROUGH privilege uses the new definition. Be aware that when roles are dropped, they are also removed from the CONNECT THROUGH privilege definition, so it is possible for a rule to be left with no roles defined for it. When you drop all of the roles that were assigned to a CONNECT THROUGH privilege definition, Teradata Database grants the affected proxy users PUBLIC privileges only. The roles that can be set for a permanent proxy user in a proxy connection are different depending on the WITH ROLES clause in the GRANT CONNECT THROUGH request, as listed in the following table: IF you specify a … THEN … WITH ROLE clause in your GRANT CONNECT THROUGH request • all role names you specify are active in the proxy connection by default. The roles in the WITH ROLE clause do not need to be granted directly to the user. The GRANT CONNECT THROUGH request grants this privilege by default. • the specified roles are the only roles that can be set for the proxy connection. • setting the current role to NONE or NULL in the proxy connection is not permitted. • the privileges for the proxy connection are those for its active roles and PUBLIC. WITHOUT ROLE clause in your GRANT CONNECT THROUGH request • the default role for the proxy connection is the default role defined for the permanent user. • the roles that can be set for the proxy connection are restricted to those granted to the user. In this case, the role in the proxy connection can also be set to NONE or NULL. • the privileges for the proxy connection are those granted to the permanent user, its active roles, and PUBLIC. Granting CONNECT THROUGH to Multiple Trusted Users A permanent or application user can be granted CONNECT THROUGH privileges through different trusted users with different roles. Consider the following example requests, both for an application proxy user: GRANT CONNECT THROUGH msi TO debbieg WITH ROLE msirole; GRANT CONNECT THROUGH tadmin TO debbieg WITH ROLE tadminrole; SQL Data Control Language 89 Chapter 2: SQL Data Control Language Statement Syntax GRANT CONNECT THROUGH After these requests have been successfully submitted, both the msi and tadmin trusted users have proxy connect privileges for the application user debbieg; however, when performing the respective proxy connections, each session for debbieg is set to a different role: msirole through trusted user msi and tadminrole through trusted user tadmin. CONNECT THROUGH and Access Logging The system logs each GRANT CONNECT THROUGH request in the access log when logging has been enabled with BEGIN LOGGING requests like the following: BEGIN LOGGING ON EACH GRANT; CONNECT THROUGH and Parameter Markers Parameter markers are not supported for GRANT CONNECT THROUGH requests. CONNECT THROUGH and User DBC You cannot specify user DBC as either the trusted user or as a proxy user in a GRANT CONNECT THROUGH request. Dictionary Storage of CONNECT THROUGH Metadata The dictionary table DBC.ConnectRulesTbl stores information on which proxy users can connect through which trusted users and what roles are available to make proxy connections. The table contains one row for every trusted_user_name:proxy_user_name combination. When the system processes a GRANT CONNECT THROUGH request, it writes a row to DBC.ConnectRulesTbl for each of the following pairs that you specify: • Trusted user name:permanent user name • Trusted user name:application user name The row persists until either you drop the trusted user or the permanent user. To provide an audit trail for the management of the rules, the system retains the row if the privilege is revoked, but the user is not dropped. DBC.ConnectRulesTbl.GrantStatus contains a G if the privilege is granted and an R if it is revoked. See Data Dictionary for details about DBC.ConnectRulesTbl. 90 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT CONNECT THROUGH Example 1 The following GRANT CONNECT THROUGH request grants the CONNECT THROUGH privilege to permanent user sbd with the assigned proxy connection role admin through trusted user viewpoint. GRANT CONNECT THROUGH viewpoint TO PERMANENT sbd WITH ROLE admin; After this request has been successfully submitted, user sbd has proxy connect privileges through the trusted user viewpoint, and whenever sbd makes a proxy connection, the system assigns him to the admin role. Example 2: Specifying Roles for a Proxy Connection All roles specified in the WITH ROLE clause of this example are active by default in the proxy connection. If no ProxyRole is set for application user dg120 in the proxy connection, the active roles are salesrole1, salesrole2, and salesrole3. The proxy connection can be set to one role that is in the WITH ROLE clause. For example, the ProxyRole for application user dg120 can be set to salesrole1, salesrole2, or salesrole3, but no other roles are permitted. GRANT CONNECT THROUGH dcm TO dg120, ks392, lm190 WITH ROLE salesrole1, salesrole2, salesrole3; Example 3: Specifying WITHOUT ROLE for a Proxy Connection When you set a WITHOUT ROLE clause for a permanent proxy user, as the following request demonstrates, the system uses the privileges and roles granted to that permanent user, and the default proxy role is the default role defined for the proxy permanent user. The roles that can be set for the proxy user are restricted to the roles granted to the proxy permanent user GRANT CONNECT THROUGH trm TO PERMANENT accting WITHOUT ROLE; SQL Data Control Language 91 Chapter 2: SQL Data Control Language Statement Syntax GRANT CONNECT THROUGH Related Topics 92 FOR more information on … SEE … Revoking proxy connections “REVOKE CONNECT THROUGH” on page 124 Setting query bands to enable proxy connections “SET QUERY_BAND” in SQL Data Definition Language Administering trusted sessions Database Administration Security issues related to trusted sessions Security Administration The dictionary attributes of trusted sessions Data Dictionary SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT LOGON GRANT LOGON Purpose Does either of the following: • Gives specific users permission to log on to Teradata Database from one or more specific client systems. • Changes the current system logon defaults. Syntax , GRANT LOGON ON host_id AS DEFAULT , ALL TO WITH NULL PASSWORD ; user_name FROM 1101C027 where: Syntax Element... Specifies... host_id a mainframe channel connection or a local area network connection that is currently defined to the system by the hardware configuration data. The interface need not be operational. The host ID for the Teradata Database console is 0. For any other connection, host_id can be any value ranging from 1 to 1023 inclusive. SQL Data Control Language FOR this platform operating system … You can define this many host_ids per node … UNIX 1. Windows multiple. 93 Chapter 2: SQL Data Control Language Statement Syntax GRANT LOGON Syntax Element... Specifies... The difference exists because UNIX-based systems see all LANs as the same client on a node, while Windows-based systems do not. The limit on UNIX systems is absolute and is true irrespective of how many network adapters are configured for a given node. As a result, if LAN host ID separation is required to support a function such as security isolation on a UNIX-based system, then some nodes must be physically connected to only one LAN and defined as, for example, host_id_1, while other nodes must be physically connected to only one other LAN, with those connections being defined under a different host ID such as host_id_2, for example. This means that for a multisession situation on a UNIX-based system, such as a MultiLoad run, sessions can only be established on a subset of the system nodes rather than being spread across all nodes evenly. This can have a negative impact on PE and Gateway activities such as the acquisition phase of MultiLoad. ALL any source through which a logon is attempted, including the Teradata Database system console. AS DEFAULT that the current default for the specified host_id set is to be changed, without residual conditions, as defined in this GRANT LOGON statement. A statement with AS DEFAULT has no effect on the access granted to or revoked from particular user names. A statement that sets the default for a specific host_id takes precedence over a statement that sets the default for ALL client systems. TO FROM the clause that specifies the recipient of the GRANT results. user_name one or more user names whose current system logon defaults are to be changed. • You cannot specify the name DBC as a user name in a GRANT LOGON statement. A statement that includes this name returns an error message. • The product of the number of host IDs times the number of user names cannot exceed 25. WITH NULL PASSWORD to permit a logon string that has no password to be accepted from the specified client system community. The initial default is that all logon requests must include a password. The WITH NULL PASSWORD option, in conjunction with a TDP security exit procedure, negates that default. This option implies that the user has been authenticated externally and not by the database. See Security Administration for details. ANSI Compliance GRANT LOGON is an extension to the ANSI SQL:2008 standard. 94 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT LOGON Required Privileges You must have the EXECUTE privilege on the DBC.LogonRule macro to perform GRANT LOGON. System Privilege Checks A statement that includes the AS DEFAULT option has no effect on the logon access granted to or revoked from specific user names. A user named in a GRANT LOGON statement can always access the applicable client system even if that client has a default of REVOKE, and a user named in a REVOKE LOGON statement cannot access the applicable client system even if that client has a default of GRANT. When a GRANT LOGON statement is submitted, the system checks that the requesting user has EXECUTE privilege on the system macro associated with that statement. However, no checks are made on whether the user names defined in the statement apply to users owned by the requesting user. If the submitted statement cannot be verified because, for example, it specifies a non-valid user name or an invalid host ID, no action is taken on the statement. GRANT LOGON for One or More User Names When a GRANT LOGON statement is processed for one or more user names, a logon control record is created for each user_name/host_ID pair specified. Any existing control record for a particular user_name/host_ID pair is replaced. The logon control record created for a particular user name persists until that user is dropped (see “DROP USER” in SQL Data Definition Language). If No Logon Control Record for a User Name If there is no logon control record for a specific user name, access to Teradata Database under that name is governed by the current default for the host ID through which the logon is entered. Logging On as User DBC Logging onto Teradata Database as user DBC requires a password. If the submitted password is correct, the logon is accepted regardless of the current default for the applicable host ID. This prevents any opportunity to lock out all client systems from Teradata Database. You cannot grant logon to user name DBC. Logging On Without a Password When Teradata Database is connected to multiple client systems, the initial default is that logon permission is granted to all users from all client systems, and that all logons must include a password. SQL Data Control Language 95 Chapter 2: SQL Data Control Language Statement Syntax GRANT LOGON Logging on without a password requires the following things: • A GRANT LOGON statement that includes the WITH NULL PASSWORD option must be performed for the defined user name or must be the default for the host ID. • A security exit installed in the client system must acknowledge that the logon string for this user is valid without a password. FOR this client type … The security exit is installed in one of these client applications … Channel-attached • TDP • CLI Network-attached CLI Logging On Using External Authentication External authentication permits a user to log onto a computer one time and, for the duration of that logon, to be able to access a Teradata Database without providing a user name, password, or account name. You do this by granting the user logon privileges with a null password. See Security Administration, Database Administration, and Utilities for details about external authentication. The following procedure creates a Teradata Database user who can log onto the system through a gateway that does not have the Append Domain Name option set using the Gtwcontrol utility. This user is already defined to Windows as user rhh. 1 Create user rhh using the following CREATE USER statement. CREATE USER rhh AS PERM = 10000000, PASSWORD = rhh; 2 Grant user rhh the following logon privileges using the GRANT LOGON statement. GRANT LOGON ON ALL TO rhh WITH NULL PASSWORD; 3 96 End of procedure. SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax GRANT LOGON The following procedure creates a Teradata Database user who can log onto the system through a gateway that has Append Domain Name set. This user is already defined to Windows as user rhh and her account is in the esw2kdev domain. 1 Create user rhh using the following CREATE USER statement. CREATE USER "rhh@esw2kdev" AS PERM = 10000000, PASSWORD = rhh; 2 Grant user rhh the following logon privileges using the GRANT LOGON statement. GRANT LOGON ON ALL TO "rhh@esw2kdev" WITH NULL PASSWORD; 3 End of procedure. Related Topics See “REVOKE LOGON” on page 127 for information about revoking logon privileges. SQL Data Control Language 97 Chapter 2: SQL Data Control Language Statement Syntax REVOKE REVOKE Purpose REVOKE rescinds explicit privileges from one or more users, proxy users, databases, or roles. The privileges might have been conferred either automatically or by a previous GRANT statement. ANSI Compliance REVOKE (Role Form) and REVOKE (SQL Form) are ANSI SQL:2008-compliant. The other forms of REVOKE are extensions to the ANSI SQL:2008 standard. Revocation Limits Implicit privileges are governed by ownership and cannot be revoked. You can affect implicit privileges by using the GIVE statement to change ownership (see “GIVE” on page 30 for more information). Forms of REVOKE REVOKE has five forms that differ both in function and in syntax. These forms are documented as follows: • “REVOKE (Monitor Form)” on page 100 • “REVOKE (Role Form)” on page 104 • “REVOKE (SQL Form)” on page 107 • “REVOKE CONNECT THROUGH” on page 124 • “REVOKE LOGON” on page 127 Types of Privileges REVOKE Can Remove The REVOKE statements operate on explicit privileges recorded in the DBC.AccessRights table. This means that you cannot revoke implicit privileges because those privileges are not stored in DBC.AccessRights. Only those explicit privileges that have been granted automatically or explicitly can be revoked. In most cases, implicit privileges only permit the user holding them to grant them to others, not to perform the SQL statements that correspond to those privileges. Generally, you must have explicit privileges to perform access protected SQL statements. The main exceptions to this rule are privileges on views, macros, and stored procedures. See “Implicit Privileges” on page 21 for more information. 98 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE REVOKE (SQL Form) and REVOKE (MONITOR Form) Have Different Functions The SQL and MONITOR forms of REVOKE perform separate functions. To revoke all privileges, including MONITOR, for a user you must perform both of the following statements: REVOKE ALL PRIVILEGES ON object FROM user; REVOKE MONITOR PRIVILEGES FROM user; Both statements assume that you have the appropriate privileges, either implicitly or explicitly, WITH GRANT OPTION. SQL Data Control Language 99 Chapter 2: SQL Data Control Language Statement Syntax REVOKE (Monitor Form) REVOKE (Monitor Form) Purpose Revokes system-wide performance monitoring privileges. Syntax REVOKE A MONITOR GRANT OPTION FOR PRIVILEGES , BUT NOT monitor_privilege , monitor_privilege , A user_name TO FROM ALL PUBLIC 1101A214 where: Syntax Element … Specifies... GRANT OPTION FOR that only the grant authority is removed from the specified privileges for the specified grantees. REVOKE GRANT OPTION FOR revokes the privilege of the recipient to grant, but does not revoke the stated privileges themselves. MONITOR PRIVILEGES to revoke from the specified user all privileges, except MONITOR, that can be granted on the specified object, and that are possessed WITH GRANT OPTION by the user executing the REVOKE. To revoke all privileges for a user, including MONITOR, you must perform at least two statements as follows: REVOKE ALL PRIVILEGES ON object FROM user_name; REVOKE MONITOR PRIVILEGES FROM user_name; ALL PRIVILEGES means all database privileges. 100 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE (Monitor Form) Syntax Element … Specifies... If you specify the ALL PRIVILEGES option, then only the privileges possessed with grant authority are revoked from the grantee. MONITOR PRIVILEGES indicates all monitoring privileges. The ANSI SQL:2008 standard requires ALL to be followed by PRIVILEGES. MONITOR BUT NOT to revoke all of the MONITOR privileges except those specified by monitor_privilege. monitor_privilege the monitoring privileges that are to be revoked. You can specify as many of the following privileges as you wish, separated by commas. Privilege Description ABORTSESSION Aborts any outstanding request or ongoing transaction of one or more Teradata Database sessions and, optionally, logs off the sessions. CTCONTROL Disables a user from executing a GRANT CONNECT THROUGH or REVOKE CONNECT THROUGH request. MONRESOURCE Gathers information on the performance and availability of each AMP and PE. MONSESSION Gathers information about logged on sessions and overall system usage on a session-by-session basis. SETRESRATE Sets the frequency at which processor resource usage data is updated in the system. SETSESSRATE Sets the frequency at which session-level performance data is updated in the system. Any combination of privileges can be revoked by a user who has those privileges with GRANT option. ALL that the monitoring privileges are to be to revoked from the named database or user, and every database or user owned by that database or user now and in the future. ALL user_name is a Teradata extension to the ANSI SQL:2008 standard. user_name the database or user from whom monitoring privileges are to be revoked. You can specify up to 25 names. PUBLIC that the monitoring privileges are to be revoked from all currently defined and future users of Teradata Database. ALL DBC is equivalent to PUBLIC. SQL Data Control Language 101 Chapter 2: SQL Data Control Language Statement Syntax REVOKE (Monitor Form) ANSI Compliance The monitor form of REVOKE is an extension to the ANSI SQL:2008 standard. Required Privileges For REVOKE (Monitor), the user submitting a REVOKE statement must have all the privileges that are to be revoked with GRANT option. Privileges Revoked Immediately REVOKE MONITOR takes effect immediately when the revoked user issues his next statement. REVOKE (SQL Form) and REVOKE (Monitor Form) Differences The SQL and MONITOR forms of REVOKE are separate statements. To revoke all privileges for a user, including MONITOR, the grantor must perform both of the following statements. REVOKE ALL PRIVILEGES ON object FROM user_name; REVOKE MONITOR PRIVILEGES FROM user_name; Rules for Using REVOKE (Monitor Form) These keywords … Mean that all … ALL PRIVILEGES database-related privileges are affected. MONITOR PRIVILEGES system monitoring privileges are affected. If you violate either one of the following restrictions, a failure response occurs. This action is not valid … For this type of REVOKE statement … Specify an ON object clause REVOKE MONITOR. Not to specify an ON object clause any other type. The result of performing a REVOKE statement takes effect as soon as the recipient issues his next statement. Revokable Privileges Implicit privileges cannot be revoked. See “Revocation Limits” on page 98 for more information. 102 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE (Monitor Form) Revoking the GRANT OPTION for a privilege from a user immediately revokes the privilege of that user to grant that privilege. However, it does not affect privileges that have already been granted by that user to others. IF a … THEN … user receives the same privilege from two or more grantors any grantor with the necessary privileges can revoke that privilege from the user and from other grantees. The user who revokes a privilege from another need not be the grantor of that privilege. privilege that was granted to ALL user_name is revoked from user_name. the privilege is not granted automatically to future users owned by user_name. Example 1 This statement pair revokes all SQL privileges on the accounting database and all monitor privileges on the system from user df2: REVOKE ALL PRIVILEGES ON accounting FROM df2; REVOKE MONITOR PRIVILEGES FROM df2; This example assumes that the revoker has the necessary privileges either implicitly or explicitly WITH GRANT OPTION. Example 2 This statement revokes the ABORTSESSION, MONSESSION, and SETSESSRATE monitor privileges from user pls: REVOKE ABORTSESSION, MONSESSION, SETSESSRATE FROM pls; This example assumes that the revoker has the necessary privileges either implicitly or explicitly WITH GRANT OPTION. Related Topics See “GRANT (Monitor Form)” on page 34 for information about granting monitor privileges. SQL Data Control Language 103 Chapter 2: SQL Data Control Language Statement Syntax REVOKE (Role Form) REVOKE (Role Form) Purpose Revokes a role from users or other roles. Syntax , , role_name REVOKE ADMIN OPTION FOR TO user_name FROM role_name ; KZ01a009 where: Syntax Element … Specifies … ADMIN OPTION FOR that the roles and users who were granted this role lose the privilege to use GRANT, REVOKE, and DROP ROLE statements to administer the specified role. If you do not specify ADMIN OPTION FOR in the REVOKE request, the system revokes the specified role from the roles or users to which it was granted. role_name one or more comma-separated names of roles that are being revoked. You can specify a maximum of 25 names per REVOKE request. The system ignores duplicate role names. TO FROM user_name role_name the names of roles or users or both from which the role or the ability to administer the role is being revoked. The system does not return errors for users or roles that were not previously granted the specified role. The TO keyword is a Teradata extension to ANSI SQL:2008. ANSI Compliance REVOKE (Role Form) is ANSI SQL:2008-compliant. 104 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE (Role Form) Required Privileges To revoke a role, you must have the WITH ADMIN OPTION privilege on it. The following users can revoke role membership: • User DBC. • A user who was granted the specified role WITH ADMIN OPTION. A role is automatically granted to the creator of the role WITH ADMIN OPTION. • A user who has an active role to which the specified role was granted WITH ADMIN OPTION. An active role can be either a current role or a nested role of a current role. Revoking Roles Roles define privileges on database objects. A user who activates a role inherits all the privileges for the role and its nested roles. A user can only activate a role that has been granted to that user. Users can undergo role changes within their organization. An administrator can revoke a role when users no longer require access to the objects that the role has privileges to. An administrator can also revoke the WITH ADMIN OPTION privilege on a role when users no longer require the privilege to grant the role to users or other roles. Authorized users can revoke the WITH ADMIN OPTION privilege on a role from the creator of the role. Effects of Revoking a Role The effect of revoking a role is immediate. Users who are logged on with the revoked role as the current role or a nested role of the current role lose the privileges that the role defines. Users who have a default role set to the revoked role do not receive errors or warnings the next time they log on. However, the system does not use the obsolete default role for privilege validation. If the role is again granted to users, the default role again becomes the current role the next time users log on. Example If user marks gets a promotion from sales to management, the DBA can use the following statements to revoke the sales role and grant the management role: REVOKE sales FROM marks; GRANT management TO marks; SQL Data Control Language 105 Chapter 2: SQL Data Control Language Statement Syntax REVOKE (Role Form) Related Topics 106 FOR more information on … SEE … granting roles to users and other roles “GRANT (Role Form)” on page 38 assigning default roles to users • “CREATE USER” in SQL Data Definition Language • “MODIFY USER” in SQL Data Definition Language changing the current role for a session “SET ROLE” in SQL Data Definition Language SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) REVOKE (SQL Form) Purpose Revokes one or more explicit privileges on a database, user, table, view, stored procedure, user-defined function, or macro from a role, group of roles, user, or group of users or removes the GRANT option from explicit privileges. Syntax REVOKE A ALL PRIVILEGES , GRANT OPTION FOR privilege ALL BUT , a role_privilege , profile_privilege A ON B database_name user_name role_name PUBLIC database_name. user_name. object_name object_name PROCEDURE procedure_name database_name. user_name. SPECIFIC FUNCTION specific_function_name database_name. user_name. FUNCTION function_name , ( ) database_name. user_name. TYPE data type parameter_name UDT_name SYSUDTLIB. a , B TO FROM user_name ALL PUBLIC , role_name database_name. user_name. SQL Data Control Language 1101V061 107 Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) Data Type INTEGER SMALLINT BIGINT BYTEINT DATE TIME TIMESTAMP (fractional_seconds_precision) WITH TIMEZONE INTERVAL YEAR (precision) TO MONTH INTERVAL MONTH (precision) INTERVAL DAY TO (precision) HOUR MINUTE SECOND ( fractional_seconds_precision ) INTERVAL HOUR TO (precision) MINUTE SECOND ( fractional_seconds_precision ) INTERVAL MINUTE (precision) TO SECOND ( fractional_seconds_precision ) INTERVAL SECOND (precision ) ,fractional_seconds_precision PERIOD(DATE) PERIOD(TIME PERIOD(TIMESTAMP ) (precision) WITH TIMEZONE REAL DOUBLE PRECISION FLOAT ( integer ) DECIMAL NUMERIC ( integer ) , integer A B 1101A535 108 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) A B CHAR BYTE ( integer ) GRAPHIC VARCHAR ( integer ) CHAR VARYING VARBYTE VARGRAPHIC LONG VARCHAR LONG VARGRAPHIC BINARY LARGE OBJECT ( integer BLOB ( G K M CHARACTER LARGE OBJECT CLOB UDT_name SYSUDTLIB. ST_Geometry MBR 1101A536 where: Syntax Element … Specifies … GRANT OPTION FOR that only the GRANT authority is removed from the specified privileges for the specified grantees for the corresponding explicit privileges they have. REVOKE GRANT OPTION FOR revokes the ability to grant the specified privileges to others, but does not revoke the explicit privileges themselves from the specified users or roles. This option does not apply to grantees that are roles. SQL Data Control Language 109 Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) Syntax Element … Specifies … ALL [PRIVILEGES] to revoke from the specified user or role all explicitly granted non-MONITOR database, but not table, privileges that can be granted on the specified object, and that are held, either implicitly or explicitly, WITH GRANT OPTION by the user executing the REVOKE. This means that REVOKE ALL does not revoke the INDEX and REFERENCES privileges. To revoke these privileges, you must do so explicitly. To revoke all explicit database privileges for a user, including MONITOR, the revoker must perform at least two statements, shown as follows: REVOKE ALL PRIVILEGES ON object FROM user_name; REVOKE MONITOR PRIVILEGES FROM user_name; ALL PRIVILEGES means all explicit database privileges. If you specify ALL PRIVILEGES, then only the explicit privileges held with grant authority are revoked from the grantee. ANSI SQL requires ALL to be followed by the keyword PRIVILEGES. ALL BUT to revoke all explicit database privileges from the specified user, database, or role, except those listed, that can be granted on the specified object and that are held, either implicitly or explicitly, WITH GRANT OPTION by the user performing the REVOKE statement. privilege one of the privileges listed in “Supported Privileges” on page 114. INSERT, REFERENCES, SELECT, and UPDATE have separate tableand column-level options. See “GRANT (SQL Form)” on page 41. You cannot grant the UPDATE privilege on a GENERATED ALWAYS identity column. The ANSI SQL:2008 standard does not support REVOKE on a database or user, or ALL BUT. These are Teradata extensions to the ANSI SQL-2008 standard. You can specify any combination of privileges; however, the user submitting the statement must itself have all of the specified privileges, either implicitly or explicitly, WITH GRANT OPTION. If DATABASE, FUNCTION, MACRO, PROCEDURE, PROFILE, ROLE, TABLE, TRIGGER, USER, or VIEW is specified without CREATE or DROP, both CREATE and DROP are revoked. If you specify CHECKPOINT, then the privilege is revoked both for the SQL statement and for the HUT commands DUMP and RESTORE. If you specify either DUMP or RESTORE individually, then the system revokes the privilege to perform the corresponding HUT command only. 110 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) Syntax Element … Specifies … If you specify RESTORE, then the system also revokes the privileges to perform the HUT commands ROLLBACK, ROLLFORWARD, and DELETE JOURNAL. You cannot revoke privileges on a trigger, only on its containing database or its subject table. role_privilege one of the following privileges: • CREATE ROLE • DROP ROLE • ROLEa Role privileges can only be revoked from a set of users or a role. They cannot be revoked from an object. Use the ROLE privilege to revoke the CREATE ROLE and DROP ROLE privileges. profile_privilege one of the following privileges: • CREATE PROFILE • DROP PROFILE • PROFILEb Profile privileges can only be revoked from a set of users or a role. They cannot be revoked from an object. Use the PROFILE privilege to revoke the CREATE PROFILE and DROP PROFILE privileges. database_name | user_name | role_name | PUBLIC the name of a database, user, role or PUBLIC on which the explicitly granted privileges are to be revoked. All objects contained by this database or user space are affected. database_name. object_name | user_name.object_name the name of the immediately owning database or user and the name of the object (table, view, stored procedure, join index, or macro) on which explicitly granted privileges are being revoked. Only the specified object, and not all objects in the database or user space, is affected by revoking the privilege set. SQL Data Control Language 111 Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) Syntax Element … Specifies … object_name the name of the table, view, join index, stored procedure, function or macro from which explicitly granted privileges to be revoked. You should always qualify object names when revoking privileges because the system checks database names before it checks object names. IF … THEN the system … the object name is not qualified assumes it is a database name. the object name is not qualified and no database having that name is found assumes it is an object within the current database. neither a database nor an object is found returns an error to the requestor. PROCEDURE [database_name | user_name] procedure_name the name of the procedure from which privileges are to be revoked. SPECIFIC FUNCTION [database_name | user_name] specific_function_name the specific name of the function from which privileges are to be revoked. FUNCTION [database_name | user_name] function_name the name of the function from which privileges are to be revoked. [parameter_name] parameter_data_type a parenthetical comma-separated list of data types and optional parameter names for the variables to be passed to the function. This is used to uniquely identify overdetermined function names. The procedure name can be qualified by its containing database or user when necessary. The specific function name can be qualified by its containing database or user when necessary. The function name can be qualified by its containing database or user when necessary. BLOB and CLOB types must be represented by a locator (see SQL Data Manipulation Language for a description of locators). Teradata Database does not support in-memory LOB parameters: an AS LOCATOR phrase must be specified for each LOB parameter and return value. You must specify opening and closing parentheses even if no parameters are passed to the function. The data type associated with each parameter is the type of the parameter or returned value. All Teradata Database data types are valid. Character data can also specify a CHARACTER SET clause. 112 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) Syntax Element … Specifies … TYPE [SYSUDTLIB.] UDT_name the name of a UDT on which a privilege set is to be revoked. The various TYPE privileges can be revoked as follows: THIS privilege … CAN be revoked from … UDTMETHOD SYSUDTLIB database. UDTTYPE UDTUSAGE TO FROM • SYSUDTLIB database. • TYPE. the recipient of the REVOKE statement action, which can be a set of users, ALL users, a role, or PUBLIC. You can specify a maximum of 25 names per REVOKE request. For compatibility, ANSI SQL requires you to specify FROM rather than TO. ALL user_name the database or user from whom explicit privileges are revoked. You can specify up to 25 names. ALL user_name specifies that the privileges are to be granted to or revoked from the named database or user, and every database or user owned by that database or user now and in the future. If you do not specify ALL user_name, then the revocation does not cascade through the hierarchy. ALL user_name is a Teradata extension to ANSI SQL. PUBLIC that the explicit privileges are to be revoked from all currently defined Teradata Database users and are not to be granted to future users. ALL DBC is equivalent to PUBLIC. database_name | user_name the containing database or user for role_name if something other than the current database or user. role_name the name of a role from which privileges are revoked. You can specify up to 25 role names. a. ROLE is not a separate privilege. It is shorthand for both CREATE ROLE and DROP ROLE. b. PROFILE is not a separate privilege. It is shorthand for both CREATE PROFILE and DROP PROFILE. ANSI Compliance REVOKE is ANSI SQL:2008-compliant with extensions. SQL Data Control Language 113 Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) Supported Privileges Teradata Database supports the privileges listed in the following list: • ABORT SESSION • ALTER EXTERNAL PROCEDURE • ALTER FUNCTION • ALTER PROCEDURE • AUTHORIZATION • CHECKPOINT • CREATE AUTHORIZATION • CREATE DATABASE • CREATE EXTERNAL PROCEDURE • CREATE FUNCTION • CREATE GLOP • CREATE MACRO • CREATE OWNER PROCEDURE • CREATE PROCEDURE • CREATE PROFILE • CREATE ROLE • CREATE TABLE • CREATE TRIGGER • CREATE USER • CREATE VIEW • CTCONTROL • • • • • • • • • • • • • • • • • • • • • • • DATABASE DROP DROP AUTHORIZATION DROP DATABASE DROP FUNCTION DROP GLOP DROP MACRO DROP PROCEDURE DROP PROFILE DROP ROLE DROP TABLE DROP TRIGGER DROP USER DROP VIEW DUMP EXECUTE EXECUTE FUNCTION EXECUTE PROCEDURE FUNCTION GLOP GLOP MEMBER INDEX INSERT [(column_list)] • • • • • • • • • • • • • • • • • • • • • • MACRO MONITOR RESOURCE MONITOR SESSION PROCEDURE REFERENCES [(column_list)] REFERENCES ALL BUT … [(column_list)] REPLCONTROL RESTORE SELECT [(column_list)] SET RESOURCE RATE SET SESSION RATE SHOW STATISTICS TABLE TRIGGER UDTMETHOD UDTTYPE UDTUSAGE UPDATE [(column_list)] UPDATE ALL BUT … [(column_list)] USER VIEW The term [(column_list)] following a privilege indicates a parenthetically enclosed set of optional comma-separated column names from which the privilege is to be revoked. Required Privileges To revoke a privilege, you must first have the privileges to grant it. You must either own the database object, or someone must first grant the privilege, either automatically or explicitly, to you, either directly or by means of a role, using WITH GRANT OPTION. If the object is a view or macro, the submitting user also must have the applicable privileges, WITH GRANT OPTION, on the objects referenced by the view or macro. Privilege Abbreviations See Data Dictionary for a complete list of privileges and their abbreviations as maintained in DBC.AccessRights. You cannot use these abbreviations in a REVOKE (SQL Form) request. Instead, you must specify the complete privilege name. 114 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) Rules for privileges Keywords The following rules apply to using the privileges valid for the REVOKE (SQL Form) statement (see “REVOKE (SQL Form)” on page 107): • You can specify any combination of privileges appropriate for the corresponding database objects. However, the user submitting the statement must, itself, have those privileges, either implicitly or explicitly and WITH GRANT OPTION, on all of the specified objects. • The CHECKPOINT privilege applies to performing both the SQL statement and the Host Utilities (HUT) Archive/Recovery commands DUMP and RESTORE. The DUMP and RESTORE privileges refer to the corresponding HUT command performed on the specified object. RESTORE also refers to execution of the following HUT commands: • ROLLBACK • ROLLFORWARD • DELETE JOURNAL If you specify CHECKPOINT, then the system revokes the privilege for the SQL statement and for both the Archive/Recovery utility commands DUMP and RESTORE. The DUMP and RESTORE privileges refer individually to the corresponding HUT commands performed on the specified object. • CREATE DATABASE, FUNCTION, MACRO, PROCEDURE, TABLE, VIEW, or USER, and DROP DATABASE or USER are allowed only on databases or users. • DROP TABLE includes ALTER TABLE. • DROP MACRO, DROP PROCEDURE, or DROP VIEW include REPLACE MACRO, REPLACE PROCEDURE, or REPLACE VIEW, respectively. • Only DROP and EXECUTE are allowed on specified stored procedures, user-defined functions, or macros. If the object is a user-defined function or stored procedure, then you must precede its name with the appropriate keyword (either FUNCTION or PROCEDURE), respectively. If you do not specify one of those keywords, then the system assumes that the specified object name references a macro. If no macro by that name exists, then the statement aborts and returns an error. • Only ALTER FUNCTION, CREATE FUNCTION, DROP FUNCTION, EXECUTE FUNCTION, and FUNCTION are allowed on user-defined functions. • Only ALTER PROCEDURE, DROP PROCEDURE, and EXECUTE PROCEDURE are allowed on stored procedures. • DUMP, RESTORE, and CHECKPOINT are not allowed on views. • If you revoke RESTORE, then the privilege to perform the following utility commands is also revoked: SQL Data Control Language • ROLLBACK • ROLLFORWARD • DELETE JOURNAL. 115 Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) • DATABASE, FUNCTION, JOIN INDEX, MACRO, PROCEDURE, PROFILE, ROLE, TABLE, VIEW, and USER confer both CREATE and DROP privileges on the respective database objects. If the DATABASE, FUNCTION, GLOP, JOIN INDEX, MACRO, PROCEDURE, PROFILE, ROLE, TABLE, USER, or VIEW keyword is specified without CREATE or DROP, then both CREATE and DROP are revoked. • ANSI SQL:2008 supports the following privileges only: • DELETE • EXECUTE • INSERT • REFERENCES • SELECT • TRIGGER • UPDATE The other privileges documented here are Teradata extensions to the ANSI SQL:2008 standard. • In most cases, the privilege keyword agrees with the keyword of a Teradata Database SQL statement. However, the following operations do not correspond to any SQL statements: • DATABASE • DUMP • MACRO • PROCEDURE • RESTORE • TABLE • USER • VIEW • INSERT, REFERENCES, SELECT, and UPDATE have both table- and column-level options. • You can revoke CREATE ROLE, DROP ROLE, CREATE PROFILE, and DROP PROFILE privileges from users only, not from roles or databases. • CREATE ROLE, DROP ROLE, CREATE PROFILE, and DROP PROFILE are system privileges; you can revoke the privileges from a user, but not on a specific object. • With respect to collecting or dropping statistics, the STATISTICS privilege has the same effect as either INDEX or DROP TABLE. Privileges Are Revoked Immediately REVOKE takes effect immediately when the revoked user issues his next statement. Privileges Must Be Revoked At The Same Level As They Were Granted The rows in DBC.AccessRights correlate privileges to the level in the system space hierarchy at which they were created. As a result, it is possible to submit a valid REVOKE statement that does not revoke the privileges you specify because the revocation was not requested at the correct hierarchical level. 116 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) For example, if privileges on an object were granted at the database or user level, and you later submit a REVOKE statement to rescind those privileges on a particular table in that database or user space, the statement completes, but no rows are deleted from DBC.AccessRights because there are no rows correlating those privileges with that table for the specified database or user. Instead, the rows in DBC.AccessRights correlate the privileges with the containing user or database. Consider the following space hierarchy: payroll human_resources pay_db table_a table_b table_c hr_db 1101A092 Suppose user payroll logs onto the system and grants the SELECT privilege on pay_db to user human_resources and all its descendents. The BTEQ LOGON command and GRANT request look like this: .LOGON tdpid/payroll,password GRANT SELECT ON pay_db TO ALL human_resources; Grant accepted. User payroll later decides to revoke the SELECT privilege on table_c in database pay_db from human_resources and its descendents. To revoke this privilege, user payroll submits the following REVOKE request: REVOKE SELECT ON table_c FROM ALL human_resources; Revoke accepted. Payroll now believes that the SELECT privilege on table_c has been revoked for human_resources and its descendents, but it has not been revoked because there were never any rows in DBC.AccessRights granting that privilege to human_resources on table_c. The row granting the SELECT privilege on the entire pay_db database to human_resources remains in DBC.AccessRights, so the originally granted SELECT privilege remains in effect. SQL Data Control Language 117 Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) Rules for Revoking SQL Privileges The following rules apply to various aspects of the SQL REVOKE statement: • Implicit privileges are governed by ownership and cannot be revoked. You can affect implicit privileges by using the GIVE statement to change ownership (see “GIVE” on page 30 for more information). • Any combination of privileges can be revoked by a user who has those privileges, either implicitly or explicitly, WITH GRANT OPTION. • The system does not automatically revoke privileges previously granted by a user after that user is dropped from the system. • Revoked privileges do not cascade through the hierarchy unless you specify the ALL user_name option. Conversely, if a privilege that was granted to ALL users and databases is revoked from user_name, the privilege is not granted automatically to future users and databases that are owned by user_name. • If the object is a view, stored procedure, or macro, the requesting user also must have WITH GRANT OPTION and all other applicable privileges on the objects referenced by that view, stored procedure, or macro. • If a REVOKE statement removes explicit privileges that were granted at the database- or user-level, the privileges are revoked for all objects, regardless of when they were created. A REVOKE statement at the object level cannot remove a privilege from that object that was granted at the database- or user-level (see “Privileges Must Be Revoked At The Same Level As They Were Granted” on page 116). • If a user receives the same privilege from one or more grantors, any user who has the necessary privileges can revoke that privilege from the user and from other grantees. In other words, a person who revokes a privilege from another need not be the grantor of that privilege. • If a privilege was granted to PUBLIC, the privilege can only be revoked from PUBLIC, not from individual users. • Revocation of a column-level privilege is only allowed if there is a row in DBC.AccessRights for the columns on which the privilege is to be revoked. This means that if the user has INSERT, REFERENCES, SELECT, or UPDATE privileges at the table level, revoking those privileges on individual columns is not allowed. Revoking Privileges on Global Temporary and Volatile Tables REVOKE always applies to the base global temporary table and never to a materialized instance. Just as with permanent tables, a user must have the appropriate prerequisite privileges before submitting a REVOKE statement. Because no privilege checking is done for volatile tables, you cannot REVOKE any privileges on them. 118 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) Revoking Privileges on Stored Procedures The following rules apply to privileges specific to stored procedures: • CREATE PROCEDURE is only a database- or user-level privilege. • ALTER PROCEDURE, DROP PROCEDURE, and EXECUTE PROCEDURE apply to databases, users, or specified stored procedures. • DROP and EXECUTE can be used as abbreviations for DROP PROCEDURE and EXECUTE PROCEDURE while rescinding privileges if you specify PROCEDURE procedure_name. • The following happens if PROCEDURE is not specified before object_name: IF the request is … THEN … REVOKE EXECUTE the object is assumed to be a macro. If no macro by that name exists, an error or failure is returned. REVOKE DROP an error/failure is returned. Revoking UDT-Related Privileges See the following topics for information about UDT-related privileges: • “UDT-Related Privileges” on page 70 • “ALL PRIVILEGES and UDTs” on page 71 • “UDTUSAGE Privilege” on page 72 • “UDTTYPE Privilege” on page 73 • “UDTMETHOD Privilege” on page 73 See “Example 7: Revoking UDT-Related Privileges” on page 123 for examples of revoking UDT-related privileges. Revoking Privileges From Roles Revoking a privilege from a role does not necessarily revoke the privilege from all of its role members. A member who has been granted the same privilege on an individual basis or through another role retains that privilege until it is explicitly revoked. Revoking the CTCONTROL Privilege If you specify the GRANT OPTION FOR option with a REVOKE request on the CTCONTROL privilege, the specification removes only the ability of the recipient to grant the privilege to others. The CTCONTROL privilege itself is not revoked when you specify GRANT OPTION FOR. Instead, you must submit a REVOKE request on the user that does not specify GRANT OPTION FOR. SQL Data Control Language 119 Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) GRANT/REVOKE Order and Duration of Privileges If a GRANT ALL ON object TO PUBLIC statement is issued by any user on an object that is lower in the hierarchy than user DBC, all other users inherit privileges on that object, including users created after the GRANT request is issued. If user DBC then issues a REVOKE ALL ON object_name FROM DBC, users created after the REVOKE request was issued are not granted privileges on that object. However, all previously created users retain the privileges until a REVOKE ALL ON object_name FROM PUBLIC is issued. For example: .LOGON dbc.password CREATE USER sys_admin AS PERM=900000 PASSWORD=sys_admin; GRANT ALL ON sys_admin TO sys_admin WITH GRANT OPTION; .LOGON sys_admin,sys_admin CREATE USER dept AS PERM=500000 PASSWORD=dept; GRANT ALL ON dept TO dept WITH GRANT OPTION; .LOGON DEPT,DEPT CREATE USER user_1 AS PERM=100000 PASSWORD=user_1; .LOGON USER1,USER1 CREATE TABLE table_1 ( column_1 INTEGER, column_2 INTEGER) PRIMARY INDEX(column_1); INSERT table_1(1,2); INSERT table_1(3,4); GRANT ALL ON table_1 TO ALL DBC; .LOGON dept,dept CREATE USER user_2 AS PERM=100000 PASSWORD=user_2; .LOGON user_2,user_2 120 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) SELECT * FROM user_1.table_1; The rows of table_1 are returned as expected. .LOGON dbc,password REVOKE ALL ON user_1.table_1 FROM dbc; .LOGON dept,dept CREATE USER user_3 AS PERM=100000 PASSWORD=user_3; .LOGON user_3,user_3 SELECT * FROM user_1.table_1; An error is returned because user_3 was created after the REVOKE was issued. .LOGON user_2,user_2 SELECT * FROM user_1.table_1; The contents of table_1 are returned as expected. Example 1 This request revokes the INSERT privilege from UserA on the employee table: REVOKE INSERT ON personnel.employee FROM UserA; Example 2 This request revokes from UserA any access to any object that requires database, but not table, privileges in the personnel database: REVOKE ALL PRIVILEGES ON personnel FROM UserA; Example 3 This request leaves UserA with table privileges and at least the SELECT privilege on the Department table: REVOKE ALL BUT SELECT ON Personnel.Department FROM UserA; The statement does not revoke database-level privileges or table-level privileges that UserA might have had on personnel; therefore, UserA might still have the ability to perform other requests such as an INSERT into personnel.department. SQL Data Control Language 121 Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) Example 4 This request leaves UserA with the SELECT privilege and all table-level privileges on every object in the personnel database: REVOKE ALL BUT SELECT ON personnel FROM UserA; Example 5: Stored Procedures The EXECUTE PROCEDURE privilege of user_2 on the stored procedure named stored_procedure_name in database_name must be revoked. Assume that all the specified database objects exist and that the grantor owns both the database and the stored procedure. You can submit any of the following REVOKE statements to revoke the specified privileges: REVOKE EXECUTE ON PROCEDURE database_name.stored_procedure_name FROM user_2; REVOKE EXECUTE PROCEDURE ON database_name.stored_procedure_name FROM user_2; REVOKE EXECUTE PROCEDURE ON PROCEDURE database_name.stored_procedure_name FROM user_2; Submit the following statement to revoke CREATE PROCEDURE, DROP PROCEDURE, and EXECUTE PROCEDURE privileges simultaneously from user_2 on the database named database_name: REVOKE CREATE PROCEDURE, DROP PROCEDURE, EXECUTE PROCEDURE ON database_name FROM user_2; To revoke ALTER PROCEDURE, EXECUTE, and DROP privileges simultaneously from user_2 on the stored procedure named stored_procedure_name in database database_name, you can perform either of the following requests: REVOKE ALTER PROCEDURE, EXECUTE, DROP ON PROCEDURE database_name.stored_procedure_name FROM user2; REVOKE ALL ON PROCEDURE database_name.stored_procedure_name FROM user2; If you specify PROCEDURE without also specifying either CREATE or DROP in a REVOKE request, the system drops both the CREATE PROCEDURE and DROP PROCEDURE privileges on database_name. 122 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE (SQL Form) For example, the following request drops both CREATE and DROP PROCEDURE privileges on database_name from user_2: REVOKE PROCEDURE ON database_name FROM user_2; Example 6 This request revokes the privilege from the Finance role to change the Personnel database: REVOKE UPDATE, DELETE, INSERT ON Personnel FROM Finance; Example 7: Revoking UDT-Related Privileges The following examples provide a representative sample of how to revoke UDT-related privileges: REVOKE UDTUSAGE ON SYSUDTLIB FROM tester1; REVOKE UDTMETHOD ON SYSUDTLIB FROM User_DBA; REVOKE UDTMETHOD ON SYSUDTLIB FROM Developer_Role; Example 8: Revoking the CTCONTROL Privilege The following example revokes from user kate the privilege to grant the CONNECT THROUGH privilege to any user defined to Teradata Database: REVOKE CTCONTROL FROM kate; Note that this request revokes the CTCONTROL privilege from kate, not just her ability to grant CTCONTROL to other users, which would be the outcome of the following similar appearing request: REVOKE GRANT OPTION FOR CTCONTROL FROM kate; See “Revoking the CTCONTROL Privilege” on page 119 for further information about this important distinction. Related Topics See “GRANT (SQL Form)” on page 41 for information about granting SQL privileges. SQL Data Control Language 123 Chapter 2: SQL Data Control Language Statement Syntax REVOKE CONNECT THROUGH REVOKE CONNECT THROUGH Purpose Revokes an existing proxy CONNECT THROUGH privilege from a permanent user or application user. Syntax , REVOKE CONNECT THROUGH trusted_user_name TO 25 A application_user_name , FROM PERMANENT 25 permanent_user_name A , WITH ROLE 15 role_name ; 1101A542 where: Syntax element … Specifies … trusted_user_name the name of the trusted user whose CONNECT THROUGH privilege is being revoked. application_user_name the name of an application user from whom the proxy logon privileges granted through trusted_user_name are being revoked. If you do not specify a WITH ROLE clause, the request revokes the connect privilege for the specified application user. You can specify a maximum of 25 names in a single revoke request. permanent_user_name the name of a permanent user from whom the proxy logon privileges granted through trusted_user_name are being revoked. If you do not specify a WITH ROLE clause, the request revokes the connect privilege for each permanent user from the trusted user. You can specify a maximum of 25 names in a single revoke request. 124 SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE CONNECT THROUGH Syntax element … Specifies … role_name a list of role names to be removed from the CONNECT THROUGH privilege granted to trusted_user_name. If you specify to remove all roles that have been granted the CONNECT THROUGH privilege for the specified permanent or application user, then the system revokes the entire privilege for the specified permanent or application user. Similarly, if you do not specify a WITH ROLE clause, then the system revokes the entire privilege for the specified permanent or application user. If the user whose privileges are being revoked is an application proxy user and this is the last remaining role for the grant privilege, the system also revokes the connect privilege for the proxy user. ANSI Compliance REVOKE CONNECT is a Teradata extension to the ANSI SQL:2008 standard. Required Privileges You must have the CTCONTROL privilege (see “CTCONTROL Privilege” on page 65) to perform a REVOKE CONNECT request. If the request specifies a WITH ROLE clause, you must also have the WITH ADMIN OPTION privilege on each of the roles specified in the clause. Role Persistence Through Active Proxy Connections Changes to a CONNECT THROUGH privilege definition are effective immediately, so the next request submitted in a proxy connection following a change to a CONNECT THROUGH privilege uses the new definition. When roles are dropped, they are also removed from the CONNECT THROUGH privilege definition, so it is possible for a rule to be left with no roles defined for it. When you drop all of the roles that were assigned to a CONNECT THROUGH privilege definition, Teradata Database grants the affected proxy users PUBLIC privileges only. CONNECT THROUGH and Parameter Markers Parameter markers are not supported for REVOKE CONNECT requests. SQL Data Control Language 125 Chapter 2: SQL Data Control Language Statement Syntax REVOKE CONNECT THROUGH Dictionary Storage of CONNECT THROUGH Metadata The dictionary table DBC.ConnectRulesTbl stores information on which proxy users can connect through which trusted users and what roles are available to make proxy connections. DBC.ConnectRulesTbl contains one row for every trusted_user_name:proxy_user_name combination that has been defined. To provide an audit trail for the management of the rules, the system retains the row in DBC.ConnectRulesTbl when a privilege is revoked. The DBC.ConnectRulesTbl.GrantStatus column for each privilege contains a G if the privilege is granted and an R if it is revoked. See “Dictionary Storage of CONNECT THROUGH Metadata” on page 90 and Data Dictionary for details about DBC.ConnectRulesTbl. Example The following REVOKE CONNECT request revokes the CONNECT THROUGH privilege that had been granted to permanent user sbd with the role admin through trusted user pls. REVOKE CONNECT THROUGH pls FROM PERMANENT sbd WITH ROLE admin; Related Topics 126 FOR more information on … SEE … Granting proxy connections “GRANT CONNECT THROUGH” on page 83 Setting query bands to enable proxy connections “SET QUERY_BAND” in SQL Data Definition Language Administering trusted sessions Database Administration Security issues related to trusted sessions Security Administration The dictionary attributes of trusted sessions Data Dictionary SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE LOGON REVOKE LOGON Purpose Does either of the following. • Revokes permission to log onto Teradata Database from one or more specific client systems. • Changes the current system logon defaults. Syntax , REVOKE LOGON ON host_id AS DEFAULT , ALL ; user_name TO FROM 1101B036 where: Syntax Element... Specifies... host_id an integer that identifies a mainframe channel connection or a LAN connection that is currently defined to the system by the hardware configuration data. The interface need not be operational. The value for the Teradata Database console is 0. For any other connector, the value for host_id ranges from 1 to 1023, inclusive. FOR this platform operating system … You can define this many host_ids per node … UNIX 1. Windows multiple. ALL any source through which a logon is attempted, including the Teradata Database console. AS DEFAULT that the current default for the specified host ID set is to be changed, without residual conditions, as defined in this REVOKE LOGON statement. A statement with AS DEFAULT has no effect on the access revoked from or granted to particular user names. A statement that sets the default for a specific host ID takes precedence over a statement that sets the default for ALL client systems. SQL Data Control Language 127 Chapter 2: SQL Data Control Language Statement Syntax REVOKE LOGON Syntax Element... Specifies... TO FROM keywords introduced to override the current default for the specified database_name_list or user_name set on the specified host_ID set. user_name a user name in a list of users from which logons are to be revoked. The name DBC cannot be specified as a user_name in a REVOKE LOGON statement. Any such statement that includes the name DBC returns an error message. The product of the number of host IDs and the number of database and user names cannot exceed 25. ANSI Compliance REVOKE LOGON is an extension to the ANSI SQL:2008 standard. Required Privileges You must have the EXECUTE privilege on the DBC.LogonRule macro to perform REVOKE LOGON. No checks are made on whether the database names or user names defined in the statement apply to users owned by the requesting user. If the system cannot verify the submitted statement because it specifies a nonvalid user name or a nonvalid host ID, then it aborts returns an error. Default Logon Permissions When Teradata Database is connected to multiple client systems, the initial default is that logon permission is granted to all users from all host IDs, and that all logons must include a password. 128 • The GRANT LOGON and REVOKE LOGON statements control which users have access from which client system connections. • A REVOKE LOGON statement inhibits only future logon attempts; it does not affect users who are currently logged on. SQL Data Control Language Chapter 2: SQL Data Control Language Statement Syntax REVOKE LOGON Each REVOKE LOGON Statement Creates A New Control Record When you enter a REVOKE LOGON statement for one or more user names, a logon control record is created for each user name-host ID pair specified. Any existing control record for a particular pair is replaced. The logon control record set created for a particular user name exists until that user is dropped (see “DROP USER” in SQL Data Definition Language). REVOKE LOGON on User DBC Is Not Valid Any attempt to REVOKE LOGON for user name DBC returns an error. If an attempt is made to log onto the system with user name DBC and the correct password is submitted, then the logon is accepted regardless of the current default for the applicable host ID. This prevents any opportunity to lock out all hosts from user DBC. AS DEFAULT Option A request that includes the AS DEFAULT option has no effect on the logon access granted to or revoked from specific user names. The following rules apply to the AS DEFAULT option: A user named in this type of statement … Assumes these privileges … REVOKE LOGON cannot access the applicable client even if that client has an assigned default of GRANT. GRANT LOGON can always access the applicable client even if that client has an assigned default of REVOKE. Related Topics See “GRANT LOGON” on page 93 for information about granting logon privileges. SQL Data Control Language 129 Chapter 2: SQL Data Control Language Statement Syntax REVOKE LOGON 130 SQL Data Control Language APPENDIX A Notation Conventions This appendix describes the notation conventions used in this book. Throughout this book, three conventions are used to describe the SQL syntax and code: • Syntax diagrams, used to describe SQL syntax form, including options. • Square braces in the text, used to represent options. The indicated parentheses are required when you specify options. For example: • • DECIMAL [(n[,m])] means the decimal data type can be defined optionally: • without specifying the precision value n or scale value m • specifying precision (n) only • specifying both values (n,m) • you cannot specify scale without first defining precision CHARACTER [(n)] means that use of (n) is optional. The values for n and m are integers in all cases. • Japanese character code shorthand notation, used to represent unprintable Japanese characters. See “Character Shorthand Notation Used In This Book” on page 137. Symbols from the predicate calculus are also used occasionally to describe logical operations. SQL Data Control Language 131 Appendix A: Notation Conventions Syntax Diagram Conventions Syntax Diagram Conventions Notation Conventions Item Definition / Comments Letter An uppercase or lowercase alphabetic character ranging from A through Z. Number A digit ranging from 0 through 9. Do not use commas when typing a number with more than 3 digits. Word Keywords and variables. • UPPERCASE LETTERS represent a keyword. Syntax diagrams show all keywords in uppercase, unless operating system restrictions require them to be in lowercase. • lowercase letters represent a keyword that you must type in lowercase, such as a UNIX command. • lowercase italic letters represent a variable such as a column or table name. Substitute the variable with a proper value. • lowercase bold letters represent an excerpt from the diagram. The excerpt is defined immediately following the diagram that contains it. • UNDERLINED LETTERS represent the default value. This applies to both uppercase and lowercase words. Spaces Use one space between items such as keywords or variables. Punctuation Type all punctuation exactly as it appears in the diagram. Paths The main path along the syntax diagram begins at the left with a keyword, and proceeds, left to right, to the vertical bar, which marks the end of the diagram. Paths that do not have an arrow or a vertical bar only show portions of the syntax. The only part of a path that reads from right to left is a loop. Continuation Links Paths that are too long for one line use continuation links. Continuation links are circled letters indicating the beginning and end of a link: A A FE0CA002 132 SQL Data Control Language Appendix A: Notation Conventions Syntax Diagram Conventions When you see a circled letter in a syntax diagram, go to the corresponding circled letter and continue reading. Required Entries Required entries appear on the main path: SHOW FE0CA003 If you can choose from more than one entry, the choices appear vertically, in a stack. The first entry appears on the main path: SHOW CONTROLS VERSIONS FE0CA005 Optional Entries You may choose to include or disregard optional entries. Optional entries appear below the main path: SHOW CONTROLS FE0CA004 If you can optionally choose from more than one entry, all the choices appear below the main path: READ SHARE ACCESS JC01A010 Some commands and statements treat one of the optional choices as a default value. This value is UNDERLINED. It is presumed to be selected if you type the command or statement without specifying one of the options. SQL Data Control Language 133 Appendix A: Notation Conventions Syntax Diagram Conventions Strings String literals appear in single quotes: 'msgtext ' JC01A004 Abbreviations If a keyword or a reserved word has a valid abbreviation, the unabbreviated form always appears on the main path. The shortest valid abbreviation appears beneath. SHOW CONTROLS CONTROL FE0CA042 In the above syntax, the following formats are valid: • SHOW CONTROLS • SHOW CONTROL Loops A loop is an entry or a group of entries that you can repeat one or more times. Syntax diagrams show loops as a return path above the main path, over the item or items that you can repeat: , , ( cname 3 4 ) JC01B012 Read loops from right to left. The following conventions apply to loops: 134 IF... THEN... there is a maximum number of entries allowed the number appears in a circle on the return path. there is a minimum number of entries required the number appears in a square on the return path. In the example, you may type cname a maximum of 4 times. In the example, you must type at least three groups of column names. SQL Data Control Language Appendix A: Notation Conventions Syntax Diagram Conventions IF... THEN... a separator character is required between entries the character appears on the return path. If the diagram does not show a separator character, use one blank space. In the example, the separator character is a comma. a delimiter character is required around entries the beginning and end characters appear outside the return path. Generally, a space is not needed between delimiter characters and entries. In the example, the delimiter characters are the left and right parentheses. Excerpts Sometimes a piece of a syntax phrase is too large to fit into the diagram. Such a phrase is indicated by a break in the path, marked by (|) terminators on each side of the break. The name for the excerpted piece appears between the terminators in boldface type. The boldface excerpt name and the excerpted phrase appears immediately after the main diagram. The excerpted phrase starts and ends with a plain horizontal line: LOCKING excerpt A A HAVING con excerpt where_cond , cname , col_pos JC01A014 Multiple Legitimate Phrases In a syntax diagram, it is possible for any number of phrases to be legitimate: dbname DATABASE tname TABLE vname VIEW JC01A016 In this example, any of the following phrases are legitimate: SQL Data Control Language 135 Appendix A: Notation Conventions Syntax Diagram Conventions • dbname • DATABASE dbname • tname • TABLE tname • vname • VIEW vname Sample Syntax Diagram , viewname CREATE VIEW AS cname CV A LOCKING LOCK ACCESS dbname A DATABASE tname FOR SHARE IN READ TABLE WRITE EXCLUSIVE vname VIEW EXCL , B SEL B MODE expr , FROM tname qual_cond C .aname C HAVING cond ; qual_cond , WHERE cond GROUP BY cname , col_pos JC01A018 Diagram Identifier The alphanumeric string that appears in the lower right corner of every diagram is an internal identifier used to catalog the diagram. The text never refers to this string. 136 SQL Data Control Language Appendix A: Notation Conventions Character Shorthand Notation Used In This Book Character Shorthand Notation Used In This Book Introduction This book uses the Unicode naming convention for characters. For example, the lowercase character ‘a’ is more formally specified as either LATIN SMALL LETTER A or U+0041. The U+xxxx notation refers to a particular code point in the Unicode standard, where xxxx stands for the hexadecimal representation of the 16-bit value defined in the standard. In parts of the book, it is convenient to use a symbol to represent a special character, or a particular class of characters. This is particularly true in discussion of the following Japanese character encodings. • KanjiEBCDIC • KanjiEUC • KanjiShift-JIS These encodings are further defined in International Character Set Support. Character Symbols The symbols, along with character sets with which they are used, are defined in the following table. Symbol Encoding Meaning a–z Any Any single byte Latin letter or digit. Unicode compatibility zone Any fullwidth Latin letter or digit. KanjiEBCDIC Shift Out [SO] (0x0E). A–Z 0–9 a–z A–Z 0–9 < Indicates transition from single to multibyte character in KanjiEBCDIC. > KanjiEBCDIC Shift In [SI] (0x0F). Indicates transition from multibyte to single byte KanjiEBCDIC. T Any Any multibyte character. The encoding depends on the current character set. For KanjiEUC, code set 3 characters are sometimes preceded by “ss3”. SQL Data Control Language 137 Appendix A: Notation Conventions Character Shorthand Notation Used In This Book Symbol Encoding Meaning I Any Any single byte Hankaku Katakana character. In KanjiEUC, it must be preceded by “ss2”, forming an individual multibyte character. ∆ Any Represents the graphic pad character. ∆ Any Represents a single or multibyte pad character, depending on context. ss 2 KanjiEUC Represents the EUC code set 2 introducer (0x8E). ss 3 KanjiEUC Represents the EUC code set 3 introducer (0x8F). For example, string “TEST”, where each letter is intended to be a fullwidth character, is written as TEST. Occasionally, when encoding is important, hexadecimal representation is used. For example, the following mixed single byte/multibyte character data in KanjiEBCDIC character set LMN<TEST>QRS is represented as: D3 D4 D5 0E 42E3 42C5 42E2 42E3 0F D8 D9 E2 Pad Characters The following table lists the pad characters for the various character data types. Server Character Set 138 Pad Character Name Pad Character Value LATIN SPACE 0x20 UNICODE SPACE U+0020 GRAPHIC IDEOGRAPHIC SPACE U+3000 KANJISJIS ASCII SPACE 0x20 KANJI1 ASCII SPACE 0x20 SQL Data Control Language Glossary ACM Association for Computing Machinery AMP Access Module Processor vproc The set of software services that controls the file system and data management components of a Teradata Database. ANSI American National Standards Institute (http://www.ansi.org) A US-based umbrella standards organization based in Washington, D.C., that defines, certifies, and administers the SQL standard. The ANSI SQL standards are available for purchase at the following web site: http:// webstore.ansi.org/ansidocstore/find.asp? The ANSI SQL standard is also recognized by the ISO. API Application Programming Interface. A set of software services with a well-defined program interface. Application User Application users are proxies for middle tier applications that access Teradata Database by means of a session logged onto by a Trusted User. An application proxy user can be anything that represents a client connecting to the middle tier such as a client name or an Automated Teller Machine ID. Application proxy user names are not defined in Teradata Database, so the system does not valid their names, but the names must follow Teradata object naming conventions. Along with the category of Permanent User application users are more broadly referred to as a Proxy User ASCII American Standard Code for Information Interchange A standard seven-bit code designed to establish compatibility between various types of data processing equipment. Originally proposed in 1963, ASCII is documented by the following standards: ISO-14962-1997 and ANSI-X3.4-1986(R1997). The standard ASCII character set defines 128 decimal numbers ranging from 0 through 127, inclusive. The individual characters are assigned to alphanumerics, punctuation marks, and a set of commonly used special characters. There is also an extended ASCII character set consisting of an additional 128 decimal numbers ranging from 128 through 255, inclusive. These characters are assigned to additional special, mathematical, graphic, and “foreign” characters. Because ASCII uses only 7 bits, it is possible to use the 8th bit for parity checking. Compare with EBCDIC. SQL Data Control Language 139 Glossary BLOB Binary Large OBject A data object, usually larger than 64K, that contains only binary data such as pictures, movies, or music. Compare with CLOB. BNF Backus-Naur Form or Backus Normal Form A metalanguage used to specify computer languages. BTEQ Basic Teradata Query facility A client interface to Teradata Database that permits users to submit SQL requests interactively or in batch mode, to format result sets, to build and perform scripts, and to import and export data. BTEQ is based on the CLIv2 API, while the somewhat similar facility, SQL Assistant, is based on the ODBC API. As a result, there are several significant differences in the behavior of the two facilities. BYNET BanYan NETwork - A proprietary high speed hybrid hardware and software communications network that handles the data flow between the PEs and AMPs running on the various SMP nodes in a Teradata system. C A general-purpose programming language developed by Dennis Ritchie of AT&T Bell Laboratories. C++ An object-oriented programming language developed by Bjarne Stroustrup of AT&T Bell Laboratories as an extension to the C language. CLIv2 Call Level Interface Version 2 CLIv2 is the API for most client-server interactions in Teradata Database. The applications that do not use CLIv2, such as SQL Assistant, use the ODBC API to communicate between the client and the Teradata server. CLOB Character Large OBject A data object, usually larger than 64K, that contains only character data such as XML or other text files. Compare with BLOB. Connection Pool Connection pooling is a technique for sharing platform resources among various requesting clients. It allows multiple clients to share a cached set of connection objects that provides access to Teradata Database. Connection pooling improves performance by eliminating the overhead associated with establishing a new connection to Teradata Database for each request. Also see Application User, Permanent User, Proxy Connection, Proxy Role, Proxy User, and Trusted User. 140 SQL Data Control Language Glossary EBCDIC Extended Binary-Coded Decimal Interchange Code An 8-bit code for alphanumerics, punctuation marks, and special characters devised by IBM Corporation as an alternative to ASCII EBCDIC and ASCII use different coding schemes to define their respective character sets, and EBCDIC defines some special characters that are not defined in ASCII. EBCDIC is only used by IBM computing equipment. Because EBCDIC is an 8-bit coding scheme, it is not possible to perform parity checks using the 8th bit. Compare with ASCII. External Routine A generic term to describe stored procedures, user-defined functions, and user-defined methods. EXTUSER FK External USER See Foreign Key. Foreign Key Foreign Key A means of establishing referential integrity between tables in a relational database. A foreign key in a child table is typically the logical primary key of its parent table. If it is not the primary key for the parent table, then it is one of its alternate keys. Compare with Primary Key. GDO Global Distributed Object. Global Temporary Table Global Temporary Table A type of table whose definition persists across sessions, but whose contents typically do not. You can materialize only one instance of a global temporary table within the same session, but up to 2 000 different global temporary table instances within the same session, and there is no limit to the number of sessions that can materialize an instance of the same global temporary table definition. Global temporary tables are also limited by not being indexable, not eligible to have statistics collected on their columns, not being compressible, not eligible for permanent journaling (though global temporary table updates can optionally be logged), not eligible to define most types of constraints, and so on. See “Global Temporary Tables” in SQL Data Definition Language for a complete definition of global temporary tables and a listing of their restrictions. Compare with Volatile Table. GLOP An initialism for GLObal and Persistent data. GLOPs enable external routines to access global shared memory that contains data of your choosing. GLOPs make it possible to use this data to make configurable business decisions without the need to externalize the information by means of parameters or other methods of passing data to external routines. A GLOP persists beyond a single invocation of an external routine, enabling it to be referenced by subsequent external routines either in either its original, or modified, form. SQL Data Control Language 141 Glossary GLOP Set A GLOP set is the GLOP mapping that is accessed when it is referenced by a UDF, method, or external procedure. A GLOP set consists of up to 8 GLOP data sections of various types. GTT See Global Temporary Table. Hash Index Hash Index A vertical partition of a base table having properties similar to a single-table Join Index. Unlike the primary index, which is stored in-line with the row it indexes, hash indexes are stored in separate subtables that must be maintained by the system. Hash index subtables also consume disk space, so you should monitor your queries periodically using EXPLAIN modifiers to determine whether the Optimizer is using any of the hash indexes you designed for them. If not, you should either drop those indexes or rewrite your queries in such a way that the Optimizer does use them. HI See Hash Index. IEEE Institute of Electrical and Electronics Engineers (http://www.ieee.org) The leading US-based professional society for electrical and electronics engineers. The largest of its member societies is the IEEE Computer Society (http://www.computer.org). ISO International Organization for Standardization http://www.iso.org An international umbrella standards organization based in Geneva, Switzerland, that also certifies the ANSI SQL standard. The following passage from the ISO web site explains why the name of the organization does not match its (apparent) initialism: “Because "International Organization for Standardization" would have different abbreviations in different languages ("IOS" in English, "OIN" in French for Organisation internationale de normalisation), it was decided at the outset to use a word derived from the Greek isos, meaning "equal". Therefore, whatever the country, whatever the language, the short form of the organization's name is always ISO.” The ISO packaging of the SQL standard can be obtained from the following web site: http:// www.iso.org/iso/en/ StandardsQueryFormHandler.StandardsQueryFormHandler?scope=CATALOGUE&sortOrde r=ISO&committee=ALL&isoDocType=ALL&title=true&keyword=sql JavaTM A class-based, object-oriented programming language developed by Sun Microsystems. JI See Join Index. Join Index A vertical partition of one or more base tables that can, depending on how it is defined, create various types of prejoins of tables, including sparse and aggregate forms. Join indexes cannot be queried directly by an SQL request; instead, they are used by the Optimizer to enhance the performance of any queries they cover. A join index that only vertically partitions a base table is referred to as a single-table join index. 142 SQL Data Control Language Glossary A join index that prejoins two or more base tables is referred to as a multitable join index. Both types of join index can be created in sparse or aggregate forms and can have a subset of their columns compressed. Unlike the primary index, which is stored in-line with the row it indexes, join indexes are stored in separate subtables that must be maintained by the system. Join index subtables also consume disk space, so you should monitor your queries periodically using EXPLAIN modifiers to determine whether the Optimizer is using any of the join indexes you designed for them. If not, you should either drop those indexes or rewrite your queries in such a way that the Optimizer does use them. LOB Large OBject Any data object that is larger than the maximum row size for Teradata Database. There are two types of LOB: the BLOB and the CLOB. NoPI Table A table that has no primary index. All access to NoPI table rows is by means of a full-table scan unless you define Secondary Indexes on the table. See Database Design for details. NPPI NonPartitioned Primary Index A Primary Index that is not partitioned into range buckets by means of a partitioning expression. NUPI Non-Unique Primary Index A Primary Index that is not uniquely constrained. NUSIs are often used to position rows from multiple tables on the same AMP to facilitate join operations on those tables. NUSI Non-Unique Secondary Index An AMP-local Secondary Index designed to be used for set (multirow) selection rather than single-row selection. ODBC Open DataBase Connectivity A de facto standard API for communicating between client applications and relational databases using SQL. The ANSI SQL standard API, referred to as CLI (sometimes as SQL/CLI), or Call-Level Interface, is based on the ODBC specification. Beginning with ODBC version 3.0, the ODBC standard and the ANSI SQL Call Level Interface standards became identical. See http://www.sqlsummit.com/ODBCPORT.HTM. OLTP On-Line Transaction Processing A category of workload processing that typically deals with very brief update transactions. A typical application of OLTP technology is automated teller machines. SQL Data Control Language 143 Glossary OS Operating System A level of software that provides services to permit higher level software to interact with system hardware. UNIX, Linux, Windows, and z/OS are examples of operating systems. PDE Parallel Database Extensions A virtual machine layer between the Teradata Database software and the Teradata file system and the underlying operating system. The PDE presents a common interface to the Teradata Database software that permits the RDBMS and file system to be more easily ported to different operating systems. PE Parsing Engine vproc The set of software services that controls the query processing and session management components of a Teradata Database. Permanent User Permanent users are proxies for users who access Teradata Database by means of a session logged onto by a Trusted User. In contrast to an Application User, trusted users are always defined within Teradata Database. The privileges for a permanent proxy user are either those that have been defined for that permanent user or those defined by the roles assigned to the proxy user in the GRANT CONNECT privileges for the Trusted User under whose session the permanent user is logged onto Teradata Database. Along with the category of Application User, application users are more broadly referred to as a “Proxy User.” PI See Primary Index. PK See Primary Key. PPI Partitioned Primary Index A Primary Index that is used to first distribute rows to the AMPs as they would be by an NPPI, then partitioned into a set of ranges determined by the DBA and specified using a PARTITION BY clause in the table definition statement. PPIs are particularly useful for supporting various types of range queries. Primary Index A set of columns in a table whose values are hashed to create a code used to distribute its rows to, and retrieve them from, the AMPs. Each table in a Teradata database must have either none or one primary index, which might or might not be unique. Compare with NoPI Table and Primary Key. 144 SQL Data Control Language Glossary Primary Key A set of columns in a table whose values make each row in that table unique. Primary keys are a logical, not physical, concept that are often, but not necessarily, used as the primary index for a table when it is physically designed. A table can have multiple candidate keys, but only one primary key can be defined for it. Those candidate keys that are not used as the primary key for a table are referred to as alternate keys. Relationships between primary and foreign keys are often used to establish referential integrity between tables. These relationships are also frequently exploited by the Optimizer to enhance query performance. Proxy Connection A connection in which the user being validated for privileges and logging is a Proxy User. Proxy Role A role defined for a Proxy Connection. If a proxy connection specifies a PROXYROLE=role_name string, role_name must be one of the role names specified in the WITH ROLE clause of the GRANT CONNECT THROUGH request that. PROXYROLE is a reserved query band name used to enable asserting a proxy role by means of a SET QUERY_BAND request. Proxy User A user that connects to Teradata Database using the session of a Trusted User. Application users and permanent users are collectively referred to as proxy users. PROXYUSER is a reserved query band name used to enable asserting a proxy user by means of a SET QUERY_BAND request. RDBMS Relational DataBase Management System A database management system based on relational set theory and the theorems, axioms, and operators provided by set theory. The set theoretic foundation for an RDBMS provides a scientific, predictable, set of tools for managing data. Referential Integrity A method of ensuring that no data is ever orphaned in a relational database. Referential integrity uses the parent-child relationships between a Primary Key and a Foreign Key to prevent child table rows from ever being orphaned from deleted parent table rows. The Teradata relational database management software supports three different kinds of relational integrity constraints: • Referential Integrity constraints This is the standard RI constraint defined by the ANSI SQL standard. • Batch Referential Integrity constraints This is a special Teradata Database form of RI that is less expensive to enforce in terms of system resources than standard referential integrity because it is enforced as an all-or-nothing operation (the entire transaction must complete successfully) rather than on a row-by-row basis, as standard referential integrity is checked. SQL Data Control Language 145 Glossary • Referential Constraints This is a special Teradata Database form of RI, sometimes informally referred to as soft RI, that specifies constraints the Optimizer can use to optimize queries, but are not enforced by the system. In other words, their referential constraint is logical only and is not enforced physically. Referential integrity relationships are often used by the Optimizer to enhance query performance. Request work. One or more SQL statements submitted to Teradata Database as a single unit of RI See Referential Integrity. Secondary Index A vertically partitioned subset of base table columns used to facilitate data manipulation operations. Unlike the primary index, which is stored in-line with the row it indexes, secondary indexes are stored in separate subtables that must be maintained by the system. Secondary index subtables also consume disk space, so you should monitor your queries periodically using EXPLAIN modifiers to determine whether the Optimizer is using any of the secondary indexes you designed for them. If not, you should either drop those indexes or rewrite your queries in such a way that the Optimizer does use them. Secondary indexes come in two types: USI and NUSI. SI See Secondary Index. SMP Symmetric MultiProcessor. In the Teradata system architecture, an SMP is represented by a single node. SQL The programming language used to create relational database objects (Data Definition Language, or DDL), to manipulate their contents (Data Manipulation Language, or DML), and to define their security attributes (Data Control Language, or DCL). Now preferably pronounced ess-kew-ell, the language was originally named SEQUEL (Structured English QUEry Language) and was pronounced as it was spelled. According to the ANSI SQL standard, SQL does not stand for Structured Query Language, as is commonly thought. The name is neither an acronym nor does it represent anything other than the characters S, Q, and L. Trusted User A user who has been granted the privilege to assume the identity of a Proxy User. UDT User-Defined Type A data type defined by someone other than Teradata. UDTs come in two variations: Distinct and Structured. See “CREATE TYPE (Distinct Form)” in SQL Data Definition Language, “CREATE TYPE (Structured Form)” in SQL Data Definition Language, and SQL External Routine Programming for additional information. 146 SQL Data Control Language Glossary UPI Unique Primary Index A Primary Index that is uniquely constrained. The rows from a table defined with a UPI tend to be distributed more evenly across the AMPs than rows from a table defined with a NUPI USI Unique Secondary Index A Secondary Index designed to facilitate single-row access. Volatile Table Volatile Table A type of table that is private to the session in which it is created and persists only for the duration of that session. Volatile tables are also limited by not being indexable, not eligible to have statistics collected on their columns, not being compressible, not eligible for journaling, not eligible to define most types of constraints, and so on. See SQL Data Definition Language for a complete definition of volatile tables and a listing of their restrictions. Compare with Global Temporary Table vproc Virtual Process The Version 1 Teradata architecture used several different specialized node types to process data, including the following node types: • IFP (InterFace Processor) • COP (Communications Processor) • APP (Application Processor) • AMP The Version 2 Teradata architecture is based on a common node configuration. Each TPA node can run one or more PE and AMP vprocs that emulate the functions of the Version 1 hardware nodes. The functions IFP and COP nodes of the Version 1 architecture are consolidated in the PE vproc, while the analogous functionality of an APP node of the Version 1 architecture is running Teradata Tools and Utilities software on a non-TPA node in a Teradata MPP system. VT XSP See Volatile Table. EXternal Stored Procedure A stored procedure whose procedural code is contained in an external routine that is written in a language other than SQL such as C, C++, or Java. Compare with SQL stored procedure, in which the procedural code is contained in a routine internal to Teradata Database and written in the SQL language. SQL Data Control Language 147 Glossary 148 SQL Data Control Language Index A G ABORTSESSION monitor privilege 34 Application proxy user 84, 86, 88, 124 Authorization 10 Automatic privileges 25 GIVE statement 30 compared to GRANTstatement 55 Global temporary tables rules for revoking privileges on 118 GLOP MEMBER privilege 65, 81 GLOP privilege 65, 81 GRANT (Monitor Form) statement 34 GRANT (MONITOR Form) statement contrasted with GRANT (SQL Form) statement 36 GRANT (Role Form) 38 granting role membership 38 role hierarchy 39 GRANT (SQL Form) and GRANT (MONITOR Form) statements 36 GRANT (SQL Form) statement 41 options 53 GRANT (SQL Form) statement contrasted with GRANT (MONITOR form) statement 36 GRANT CONNECT THROUGH statement 83 GRANT LOGON statement 93 GRANT statement 33 compared to GIVE statement 55 Granting column-level privileges 56 Granting privileges to others 18 C Column-level privileges granting column-level privileges 56 CONNECT THROUGH privilege 83, 124 CREATE EXTERNAL PROCEDURE privilege 68 CREATE FUNCTION privilege 70 CREATE GLOP privilege 65, 81 Creator definition for privileges 13 privileges 16 rules for creators 16 CTCONTROL privilege 54, 65 D Database compared with user 12 definition 12 DBC.AccessRights table 23 DROP FUNCTION privilege 70 DROP GLOP privilege 65, 81 E EXECUTE FUNCTION privilege 70 Explicit privileges 22, 24 automatic granting of explicit privileges 22 characteristics of explicit privileges 23 GRANT WITH GRANT OPTION 22 reporting contents of DBC.AccessRights table 23 summarized in contrast with implicit privileges 24 External authentication granting logon to a user 96 SQL Data Control Language I Immediate owner rules of ownership 16 Implicit privileges 21, 24 characteristics of implicit privileges 21 duration of implicit privileges 21 summarized in contrast with explicit privileges 24 INDEX privilege 56 Inherited privileges 26 J Japanese character code notation how to read 137 149 Index L Logging on as user DBC 95 using external authentication 96 with no password 95 Logon revoking logon privileges 127 M MONRESOURCES monitor privilege 34 MONSESSION monitor privilege 35 O Objects ownership of 16 Owner definition for privileges 13 privileges 16 rules for owners 16 P Password requirements for the GRANT LOGON statement 95 Permanent proxy user 84, 86, 88, 124 Privileges 10, 16 ABORTSESSION 34 ALL PRIVILEGES and UDTs 71 automatic privileges 25 column-level privileges 56 CONNECT THROUGH 83, 124 CREATE EXTERNAL PROCEDURE privilege 68 CREATE FUNCTION privilege 70 CREATE GLOP privilege 65, 81 creation principles summarized 16 creators 13, 15 CTCONTROL privilege 54, 65 data dictionary abbreviations for privileges 53, 114 database-level privileges 22 definition of privileges 17 DROP FUNCTION privilege 70 DROP GLOP privilege 65, 81 duration of privileges 120 establishing privileges using GRANT 33 EXECUTE FUNCTION privilege 70 explicit 22, 24 150 GLOP 65, 81 GLOP MEMBER 65, 81 granting privileges to others 18 implicit 21, 24 INDEX privilege 56 inherited 26 MONITOR-related privileges for GRANT (Monitor Form) statement 34 MONRESOURCES monitor privilege 34 MONSESSION monitor privilege 35 owner versus creator 16 owners 13, 15 ownership principles summarized 16 privileges are revoked immediately 116 privileges must be revoked at the same level as they were granted 116 privileges on queue tables 65 privileges on roles 74 privileges on stored procedures 66 privileges on UDFs 69 privileges on UDTs 70 PUBLIC privileges 27 REFERENCES privilege 56 REPLCONTROL privilege 64 restrictions on granted privileges 58 revoking logon privileges 127 SETRESRATES monitor privilege 35 SETSESSRATE monitor privilege 35 summary of privileges 28 system-granted 18 table-level privileges 22 types of privileges 17 UDTMETHOD privilege 73 UDTTYPE privilege 73 UDTUSAGE privilege 72 users 13, 14 when privileges become effective 55 where privileges are stored 11 Proxy users application proxy user 84, 86, 88, 124 permanent proxy user 84, 86, 88, 124 PUBLIC privileges 27 SQL Data Control Language Index R REFERENCES privilege 56 REPLCONTROL privilege 64 REVOKE (Monitor Form) statement 100 revokable privileges 102 rules for use 102 REVOKE (Role Form) statement 104 revoking role membership 104 revoking roles 105 REVOKE (SQL Form) and REVOKE (MONITOR Form) statements 102 REVOKE (SQL Form) statement 107 options 115 rules for revoking privileges 118 rules for revoking privileges from roles 119 rules for revoking privileges on stored procedures 119 rules for revoking privileges on UDTs 119 REVOKE CONNECT THROUGH statement 124 REVOKE LOGON statement 127 REVOKE statement 98 Revoking logon privileges 127 cannot revoke logon for user DBC 129 Roles active role 39 granting role membership 38 revoking role membership 104 rules for revoking privileges from 119 usage 39 Rules GRANT (SQL Form) statement 53 REVOKE (SQL Form) 115 REVOKE (SQL Form) statement 115 Rules for revoking privileges global temporary tables 118 REVOKE (SQL Form) 118 volatile tables 118 Rules for revoking privileges from roles 119 Rules for revoking privileges from UDTs 119 Rules for revoking privileges on stored procedures 119 REVOKE 98 REVOKE (Monitor Form) 100 REVOKE (Role Form) 104 REVOKE (SQL Form) 107 REVOKE CONNECT THROUGH 124 REVOKE LOGON 127 Syntax diagrams how to read 131 System-granted privileges 18 T Trusted sessions application proxy user 84, 86, 88, 124 GRANT CONNECT THROUGH statement 83 permanent proxy user 84, 86, 88, 124 REVOKE CONNECT THROUGH statement 124 trusted user 83, 84, 86, 89, 124 Trusted user 83, 84, 86, 89, 124 U UDTMETHOD privilege 73 UDTTYPE privilege 73 UDTUSAGE privilege 72 Unicode character naming convention 137 User compared with database 12 definition 12 definition for privileges 14 V Volatile tables rules for revoking privileges on 118 S SETRESRATE monitor privilege 35 SETSESSRATE monitor privilege 35 SQL statements GIVE 30 GRANT 33 GRANT (Monitor Form) 34 GRANT (Role Form) statement 38 GRANT (SQL Form) 41 GRANT CONNECT THROUGH statement 83 GRANT LOGON 93 SQL Data Control Language 151 Index 152 SQL Data Control Language