Github user liuyu000 commented on a diff in the pull request: https://github.com/apache/trafodion/pull/1601#discussion_r194599335 --- Diff: docs/sql_reference/src/asciidoc/_chapters/sql_statements.adoc --- @@ -5928,19 +5970,117 @@ Specifies the list of columns to grant the requested privilege to. [[grant_authorization_and_availability_requirements]] ==== Authorization and Availability Requirements -To grant a privilege on an object, you must have both that privilege and the right to grant that privilege. Privileges can -be granted directly to you or to one of the roles you have been granted. You can grant a privilege on an object if you are -the owner of the object (by which you are implicitly granted all privileges on the object) or the owner of the schema containing -the object, or if you have been granted both the privilege and the WITH GRANT OPTION for the privilege. +* To grant a privilege on an object, you must have both that privilege and the right to grant that privilege. -If granting privileges on behalf of a role, you must specify the role in the [GRANTED] BY clause. To grant the privileges on -behalf of a role, you must be a member of the role, and the role must have the authority to grant the privileges; that is, the -role must have been granted the privileges WITH GRANT OPTION. +* Privileges can be granted directly to you or to one of the roles you have been granted. + +* You can grant a privilege on an object if one of the following is true: ++ +** If you are the owner of the object (by which you are implicitly granted all privileges on the object). + ++ +** The owner of the schema contains the object. + ++ +** If you have been granted both the privilege and the `WITH GRANT OPTION` for the privilege. + +* If granting privileges on behalf of a role, you must specify the role in the `[GRANTED] BY` clause. ++ +To grant the privileges on behalf of a role, you must be a member of the role, and the role must have the authority to grant the privileges; +that is, the role must have been granted the privileges `WITH GRANT OPTION`. + +* If you lack authority to grant: + +** If you lack authority to grant one or more of the specified privileges, SQL returns a warning (yet does grant the specified +privileges for which you do have authority to grant). + ++ +*Example* + ++ +The owner of the table _customer_ is the _testuser1_, who grants `DELETE`, `INSERT` and `REFERENCES` privileges on the table _customer_ +to the user _testuser2_ with `WITH GRANT OPTION`. + ++ +_testuser1_: -If you lack authority to grant one or more of the specified privileges, SQL returns a warning (yet does grant the specified -privileges for which you do have authority to grant). If you lack authority to grant any of the specified privileges, SQL returns ++ +``` +SQL>GRANT DELETE, INSERT, REFERENCES ON customer TO testuser2 WITH GRANT OPTION; + +--- SQL operation complete. +``` + ++ +Then the _testuser2_ tries to grant all privileges on the table _customer_ to the _testuser3_ but fails because of lacking `SELECT` and +`UPDATE` privileges, only successfully grants those privileges (`DELETE`, `INSERT` and `REFERENCES`) for which the _testuser2_ has +grant options. + --- End diff -- Thanks @robertamarton, your comment has been incorporated :relaxed:
---