Privileges to access database content in MySQL can be given in different level and context to the user; or in other word in seperate process then setting up a user's account. The list below represents different level scopes of setting privileges in MySQL:
- Administrative privileges - This is a global privilege which can be applied to all databases. It enables users to manage operation of MYSQL server.
- Database privileges - These privileges are applied at the database level and the objects involved in it. The privileges can be specific to a database or global.
- Object privilege - These privileges are applied to the database objects such as tables, indexes, views and stored procedures. It can be for specific objects or all the objects of a database.
These privileges from above are stored in the GRANT tables called user, db, tables_priv, columns_priv, and procs_priv. They are read and stored in memory when the server starts. Whenever there is a change in the privileges, the tables are reloaded. Below is a table of few privileges, the associated column name in the grant table and their context of usage. They are used in GRANT and INVOKE statements.
| Privilege | Column | Context | Usage |
|---|---|---|---|
| CREATE | create_priv | databases, table or indexes | Creates new databases, tables |
| DROP | drop_priv | databases, tables, or views | This privilege drops the existing database, tables and views |
| ALTER | alter_priv | tables | This privilege enables use of ALTER table to change the structure of tables |
| DELETE | delete_priv | tables | This privilege enables rows to be deleted from tables |
| INDEX | index_priv | tables | This privilege enables to create and drop indexes |
| INSERT | insert_priv | tables or columns | This privilege enables rows to be inserted into database |
| SELECT | select_priv | tables or columns | This privilege enables rows to be selected from tables in database |
| CREATE VIEW | create_view_priv | views | This privilege enables use of CREATE VIEW |
| SHOW VIEW | show_view_priv | views | This privilege enables use of SHOW CREATE VIEW |
| ALTER ROUTINE | alter_routine_priv | stored routines | This privilege enables use of ALTER TABLE to change structure of tables |
| CREATE ROUTINE | create_routine_priv | stored routines | This privilege is needed to create stored routines |
| CREATE TABLESPACE | create_tablespace_priv | server administration | This privilege is needed to create, alter and drop tablespaces and log file groups |
| CREATE USER | create_user_priv | server administration | This privilege is enables use of CREATE USER, DROP USER, RENAME USER and REVOKE ALL PRIVILEGES |
| SHOW DATABASES | show_db_priv | server administration | This privilege is enables the account to see database names by issuing SHOW DATABASE statement |
| SHUTDOWN | shutdown_priv | server administration | This privilege is enables use of mysqladmin shutdown command |
| SUPER | super_priv | server administration | This privilege is enables an account to use of CHANGE MASTER TO, KILL threads belonging to other accounts |
GRANT statement
The MYSQL GRANT statement syntax, which allows granting access privileges to database accounts, is presented in example below:
GRANT privileges (columnList)
ON (objectType) privilegeLevel
TO account (IDENTIFIED BY 'password')
[REQUIRE encryption]
WITH options;
Where,
- privileges - The privileges given above which is assigned to the account. Multiple privileges can be granted using single GRANT statement.
- columnList - This specifies the column to which privilege is applied. This is an optional choice.
- privilegeLevel - The level of privilege such as global privilege, database-specific privilege, table specific privilege, column specific privilege ?etc.
- account - Specifies which account to which privilege is granted.
- password - It specifies the password to assign to the account.
- REQUIRE encryption - Specifies if the account has to be connected to the server over secured SSL connection.
- WITH options - We can add options such as allocating MYSQL database server resources, grant one accounts privilege to other accounts etc...
A couple examples more of GRANT statements:
GRANT ALL ON *.* TO 'super'@'localhost' WITH GRANT OPTION;
GRANT SELECT, UPDATE, DELETE ON patientsDB.* TO 'doctor'@'%';
REVOKE statement
The REVOKE statements are used to revoke the privileges from an account. Its syntax goes like this:
REVOKE privilegeType (columnList) [, priv_type(COlumnList)]
ON objectType privilegeLevel
FROM user [, user] ...;
To revoke all privileges of a user/s, this may be done:
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...;
Where,
- The list of privileges to be revoked are given after REVOKE keyword.
- The privilege level at that privilege are to be revoked are given after ON clause.
- The accounts to which the privileges are revoked are given after FROM keyword.
To check the privileges of a user before revoking them, the following syntax is used:
SHOW GRANTS FROM user;
Example:
REVOKE UPDATE, DELETE ON patientsDB.* FROM 'doctor'@'%';
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'doctor'@'localhost';
Comments
No comments have been made yet.
Please login to leave a comment. Login now