3.3 Granting privileges
Privileges are granted to users so that users can access and operate with database
objects or to process some tasks with a database.
A user can receive a privilege in two different ways: privileges can be granted to user
explicitly; or privileges can be granted to role, and the role can be granted to one or
more users. Roles allow easier and better management of privileges, thus privileges are
normally granted to roles and not to specific users. Roles can be granted both to users
and to roles.
A user who has granted a privilege or a role is grantor of this privilege
(role).
To grant a privilege on a database object you must be an owner of this object or
DBA user. To grant one or more privileges on a database object to one or more users or
roles use:
GRANT "privilege" | ALL
ON [DOCUMENT|COLLECTION] "database-object-name"
TO "user-name|role-name" | PUBLIC
For example, the following statement:
GRANT "QUERY" ON DOCUMENT "auction" TO "Alice"
grants QUERY privilege on document auction to the user with name Alice. She will be
able to perform any XQuery queries on this document.
The key word PUBLIC is used when the privileges are to be granted to all users,
including those that may be created later. PUBLIC may be thought of as an implicitly
defined role that every user has.
If the kind of the database object (DOCUMENT or COLLECTION) is not specified,
database object is considered to be a document.
To grant a privilege on a database you must be DBA user. To grant one or more
privileges on a database to one or more users or roles use:
GRANT "privilege" | ALL
ON DATABASE
TO "user-name|role-name" | PUBLIC
For example, the following statement:
GRANT "LOAD" ON DATABASE TO "Alice"
allows Alice to perform bulk load into the database.
To grant a role you must be allowed to grant every privilege of the role: to be owner
of every database object of privileges of the role, or to be DBA user. To grant a role to
another role means grantee will add grantor’s privileges to its own set of privileges. To
grant a role to one or more users or roles use:
GRANT "role-name"
TO "user-name|role_name" | PUBLIC
|