Privileges Cascade

Privileges can cascade up; that is, privileges granted on some object can imply grants of privileges on other objects. These situations are covered by the following principles:

  • If the grantee owns an updatable view and is being GRANTed privileges on its leaf underlying table (the base table wherein the data finally resides, regardless of any intervening tables or views), these privileges are GRANTed for the view as well. If specified, the grant option also cascades up. There is only one leaf underlying table for an updatable view
  • If the grantee owns an updatable view that immediately references the table on which privileges are being GRANTed (in other words, if the reference appears in the FROM clause without an intervening view), these privileges can also cascade up, including the grant option, if applicable
  • If the grantee owns a view, updatable or not, that grantee already has the SELECT privilege on all tables referenced in its definition, as well as on the view itself. If the grantee gains the grant option on SELECT on all the referenced tables, he or she also acquires the grant option on the SELECT privilege on the view

In all of these situations, the grantor of the privilege is ''_SYSTEM,'' which denotes an automatic grant.

For each privilege that is granted, a privilege descriptor is effectively created. (This is a theoretical construct used by the ISO standard to specify privilege behavior; it may not actually exist.) The privilege descriptor indicates:

  • The grantee that has received the privilege
  • The privilege itself (the action that can be performed)
  • The object on which the privilege is granted, which may be one of those listed above or a column
  • The grantor that conferred the privilege. For automatic grants, this is the built-in value ''_SYSTEM''
  • Whether the privilege is grantable (GRANTed with the grant option)

Multiple identical privilege descriptors are combined, so that a privilege granted twice by the same grantor need be revoked only once. Likewise, if two privilege descriptors differ only in that one confers grant option and the other does not, they are merged into a single privilege with grant option. If the grantor lacks the ability to grant the privileges attempted, a completion condition is raised - a warning that privileges were not granted.