Re: GRANT/REVOKE: Allow column-level privileges

On Thu, Jan 26, 2006 at 10:25:40PM +0800, William ZHANG wrote:
> 
> I think we should pay attention to the sematic of table privs and column
> privs.
> Here is some examples.
> 
> 1. role1 GRANT table priviledge SELECT on table S to role2.
>     role1 REVOKE column priviledge SELECT on column S(SNO) from role2.

As I understand the SQL spec, the first (table-level) GRANT you specified
would be equivalent to repeating an appropriate column-level GRANT for
every column of S.  My thought was to check the column privs and apply
this logic:
if user matches an acl for the column    .. and priv is granted, then permit    .. else priv is not granted, rejectelse
fallthrough to table privileges
 

> 2. deal with circles in GRANT graph.

Can you give an examle for how this is any different for column-level
GRANTs?

-- kevin brintnall =~ <kbrint@rufus.net>