[will add to 10.2 review wiki page with link to this post in archive] http://db.apache.org/derby/docs/dev/ref/rrefsqljgrant.html
This first paragraph I think is technically entirely wrong. "When a table, view, function, or procedure is created, only the object owner has full privileges on the object. No other users have any privileges on the object until the object owner grants privileges to the users." 1) Whan an object is created the object owner does not have "full privileges", or maybe we need to document what "full privileges" means. 2) When an object is created one other user does have privileges on the object, the database owner. Probably a number of ways to tackle this, one is to move this type of information to the individual create statements, since these two sentences are not really about the GRANT statement. Then this would be replaced with (for the GRANT statement: "A user may grant any grantable privileges that she owns." In create sections one would have: CREATE TABLE The table's owner and the database owner automatically gain these privileges on the table: grantable SELECT grantable INSERT grantable UPDATE grantable REFERENCES grantable TRIGGER These privileges cannot be revoked. CREATE FUNCTION/PROCEDURE The routine's owner and the database owner automatically gain this privilege on the routine: grantable EXECUTE These privileges cannot be revoked. CREATE VIEW The database owner automatically gains this privilege on the view: grantable SELECT This privilege cannot be revoked. The views's owner automatically gains this privilege on the view: SELECT This privilege cannot be revoked. If all views's owner has grantable privileges on all objects used by the view (grantable SELECT for columns used from all referenced tables and views, and grantable EXECUTE for all functions used) then view's owner automatically gains this privilege on the view: grantable SELECT This privilege cannot be revoked but if a subsequent REVOKE statement revokes one of the dependent grantable privileges this privilege is implicitly revoked. Probably need some definition of grantable and non-grantable privilege somewhere. Dan.
