> 3) For every privilege descriptor in CPD whose action is > INSERT, UPDATE, > or REFERENCES without a column name, privilege descriptors are also > created and added to CPD for each column C in O for which > A holds the > corresponding privilege with grant option. For each such column, a > privilege descriptor is created that specifies the > identical <grantee>, > the identical <action>, object C, and grantor A. > > 4) For every privilege descriptor in CPD whose action is > SELECT without a > column name or method name, privilege descriptors are also > created and > added to CPD for each column C in O for which A holds the > corresponding > privilege with grant option. For each such column, a privilege > descriptor is created that specifies the identical <grantee>, the > identical <action>, object C, and grantor A. > > As I read it, granting a table-level privilege is equivalent > to repeating the appropriate column-level privilege for all > columns. In other words: > > For this table: > > CREATE TABLE tab (c1 int, c2 int, c3 int); > > This statement: > GRANT SELECT ON tab TO grantee; > > ...also implies: > > GRANT SELECT (c1) ON tab TO grantee; > GRANT SELECT (c2) ON tab TO grantee; > GRANT SELECT (c3) ON tab TO grantee; > > This means that after the following, the grantee should have > no privileges on tab.c1 (but should retain them on tab.c2, tab.c3): > > GRANT SELECT ON tab TO grantee; > REVOKE SELECT (c1) ON tab FROM grantee;
I don't (do not want to) read that conclusion from above paragraphs, anyone else ? My reasoning is, that you can only revoke what has previously been granted. e.g. grant dba to grantee; cannot be revoked with: revoke select on tab from grantee; for that table I think the paragraphs have only been added to understand what rights you have on each column. Andreas ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend