Re: GRANT/REVOKE: Allow column-level privileges

> 3) For every privilege descriptor in CPD whose action is
> INSERT, UPDATE,
>    or REFERENCES without a column name, privilege descriptors are also
>    created and added to CPD for each column C in O for which
> A holds the
>    corresponding privilege with grant option. For each such column, a
>    privilege descriptor is created that specifies the
> identical <grantee>,
>    the identical <action>, object C, and grantor A.
>
> 4) For every privilege descriptor in CPD whose action is
> SELECT without a
>    column name or method name, privilege descriptors are also
> created and
>    added to CPD for each column C in O for which A holds the
> corresponding
>    privilege with grant option. For each such column, a privilege
>    descriptor is created that specifies the identical <grantee>, the
>    identical <action>, object C, and grantor A.
>
> As I read it, granting a table-level privilege is equivalent
> to repeating the appropriate column-level privilege for all
> columns.  In other words:
>
> For this table:
>
>     CREATE TABLE tab (c1 int, c2 int, c3 int);
>
> This statement:
>     GRANT SELECT ON tab TO grantee;
>
> ...also implies:
>
>     GRANT SELECT (c1) ON tab TO grantee;
>     GRANT SELECT (c2) ON tab TO grantee;
>     GRANT SELECT (c3) ON tab TO grantee;
>
> This means that after the following, the grantee should have
> no privileges on tab.c1 (but should retain them on tab.c2, tab.c3):
>
>     GRANT SELECT ON tab TO grantee;
>     REVOKE SELECT (c1) ON tab FROM grantee;

I don't (do not want to) read that conclusion from above paragraphs,
anyone else ?
My reasoning is, that you can only revoke what has previously been
granted.

e.g. grant dba to grantee;
cannot be revoked with: revoke select on tab from grantee; for that
table

I think the paragraphs have only been added to understand what rights
you have on
each column.
Andreas