SQL - GRANT
Changes the permission of a role, granting it access to one or more resources. To remove access to a resource from the role, see the REVOKE command.
Syntax
GRANT [ <permission> | POLICY <policyName> ] ON <resource> TO <role>
<permission>Defines the permission you want to grant to the role.<policyName>Defines the name of a security policy<resource>Defines the resource on which you want to grant the permissions.<role>Defines the role you want to grant the permissions.
Examples
-
Grant permission to update any record in the cluster
accountto the rolebackoffice:orientdb>
GRANT UPDATE ON database.cluster.account TO backoffice -
Bind a security policy called
policy1to Person class records, for the rolebackoffice:orientdb>
GRANT POLICY policy1 ON database.class.Person TO backoffice
For more information, see
Supported Permissions
Using this command, you can grant the following permissions to a role.
| Permission | Description |
|---|---|
NONE | Grants no permissions on the resource. |
CREATE | Grants create permissions on the resource, such as the CREATE CLASS or CREATE CLUSTER commands. |
READ | Grants read permissions on the resource, such as the SELECT query. |
UPDATE | Grants update permissions on the resource, such as the UPDATE or UPDATE EDGE commands. |
DELETE | Grants delete permissions on the resource, such as the DROP INDEX or DROP SEQUENCE commands. |
ALL | Grants all permissions on the resource. |
Supported Resources
Using this command, you can grant permissions on the following resources.
| Resource | Description |
|---|---|
database | Grants access on the current database. |
database.class.<class> | Grants access on records contained in the indicated class. Use ** to indicate all classes. |
database.class.<class>.<property> | Grants access on a single property in the indicated class. Use ** to indicate all classes and/or all properties (this is intended only for security policies) |
database.cluster.<cluster> | Grants access to records contained in the indicated cluster. Use ** to indicate all clusters. |
database.query | Grants the ability to execute a query, (READ is sufficient). |
database.command.<command> | Grants the ability to execute the given command. Use CREATE for INSERT, READ for SELECT, UPDATE for UPDATE and DELETE for DELETE. |
database.config.<permission> | Grants access to the configuration. Valid permissions are READ and UPDATE. |
database.hook.record | Grants the ability to set hooks. |
server.admin | Grants the ability to access server resources. |
Policy assignment is supported for records only, so you can assign security policies to class and property resources