DCL in SQL

DCL commands are used to enforce database security in a multiple user database environment.
Two types of DCL commands are GRANT and REVOKE. Only Database Administrators or owners of
the database object can provide/remove privileges on a database object.
SQL GRANT Command

SQL GRANT is a command used to provide access or privileges on the database objects to the
users.
The Syntax for the GRANT command is:

GRANT privilege_name
ON object_name
TO {user_name |PUBLIC |role_name}
[WITH GRANT OPTION];
 privilege_name is the access right or privilege granted to the user. Some of the access
rights are ALL, EXECUTE, and SELECT.
 object_name is the name of an database object like TABLE, VIEW, STORED PROC and
SEQUENCE.
 user_name is the name of the user to whom an access right is being granted.
 PUBLIC is used to grant access rights to all users.
 ROLES are a set of privileges grouped together.
 WITH GRANT OPTION - allows a user to grant access rights to other users.
For Eample: GRANT SELECT ON employee TO user1;This command grants a SELECT permission
on employee table to user1.You should use the WITH GRANT option carefully because for example
if you GRANT SELECT privilege on employee table to user1 using the WITH GRANT option, then
user1 can GRANT SELECT privilege on employee table to another user, such as user2 etc. Later, if
you REVOKE the SELECT privilege on employee from user1, still user2 will have SELECT privilege
on employee table.
SQL REVOKE Command:

The REVOKE command removes user access rights or privileges to the database objects.
The Syntax for the REVOKE command is:
REVOKE privilege_name
ON object_name
FROM {user_name |PUBLIC |role_name}
For Eample: REVOKE SELECT ON employee FROM user1;This commmand will REVOKE a SELECT
privilege on employee table from user1.When you REVOKE SELECT privilege on a table from a user,
the user will not be able to SELECT data from that table anymore. However, if the user has
received SELECT privileges on that table from more than one users, he/she can SELECT from that
table until everyone who granted the permission revokes it. You cannot REVOKE privileges if they
were not initially granted by you.
Privileges and Roles:

Privileges: Privileges defines the access rights provided to a user on a database object. There are
two types of privileges.
1) System privileges - This allows the user to CREATE, ALTER, or DROP database objects.
2) Object privileges - This allows the user to EXECUTE, SELECT, INSERT, UPDATE, or DELETE
data from database objects to which the privileges apply.
Few CREATE system privileges are listed below:
System
Description
Privileges
allows users to create the specified object in
CREATE object
their own schema.
CREATE ANY allows users to create the specified object in
object any schema.
The above rules also apply for ALTER and DROP system privileges.
Few of the object privileges are listed below:
Object
Description
Privileges
INSERT allows users to insert rows into a table.
allows users to select data from a database
SELECT
object.
UPDATE allows user to update data in a table.
allows user to execute a stored procedure or
EXECUTE
a function.
Roles: Roles are a collection of privileges or access rights. When there are many users in a
database it becomes difficult to grant or revoke privileges to users. Therefore, if you define roles,
you can grant or revoke privileges to users, thereby automatically granting or revoking privileges.
You can either create Roles or use the system roles pre-defined by oracle.
Some of the privileges granted to the system roles are as given below:
System
Privileges Granted to the Role
Role
CREATE TABLE, CREATE VIEW, CREATE
CONNECT SYNONYM, CREATE SEQUENCE, CREATE
SESSION etc.
CREATE PROCEDURE, CREATE SEQUENCE,
CREATE TABLE, CREATE TRIGGER etc. The
RESOURCE
primary usage of the RESOURCE role is to
restrict access to database objects.
DBA ALL SYSTEM PRIVILEGES
Creating Roles:
The Syntax to create a role is:
CREATE ROLE role_name
[IDENTIFIED BY password];
For example: To create a role called "developer" with password as "pwd",the code will be as
follows
CREATE ROLE testing
[IDENTIFIED BY pwd];
It's easier to GRANT or REVOKE privileges to the users through a role rather than assigning a
privilege direclty to every user. If a role is identified by a password, then, when you GRANT or
REVOKE privileges to the role, you definetely have to identify it with the password.
We can GRANT or REVOKE privilege to a role as below.
For example: To grant CREATE TABLE privilege to a user by creating a testing role:
First, create a testing Role
CREATE ROLE testing
Second, grant a CREATE TABLE privilege to the ROLE testing. You can add more privileges to the
ROLE.
GRANT CREATE TABLE TO testing;
Third, grant the role to a user.
GRANT testing TO user1;
To revoke a CREATE TABLE privilege from testing ROLE, you can write:
REVOKE CREATE TABLE FROM testing;

The Syntax to drop a role from the database is as below:
DROP ROLE role_name;
For example: To drop a role called developer, you can write:
DROP ROLE testing;

DCL in SQL

Uploaded by

DCL in SQL

Uploaded by

DCL commands are used to enforce database security in a multiple user database environment.

SQL GRANT Command

The Syntax for the GRANT command is:

SQL REVOKE Command:

The Syntax for the REVOKE command is:

Privileges and Roles:

Few CREATE system privileges are listed below:

Few of the object privileges are listed below:

We can GRANT or REVOKE privilege to a role as below.

First, create a testing Role

CREATE ROLE testing

GRANT CREATE TABLE TO testing;

Third, grant the role to a user.

GRANT testing TO user1;

REVOKE CREATE TABLE FROM testing;

You might also like