An SPL program (including functions, stored procedures, and packages) can be executed only when any of the following conditions is true.
- The current user who calls the SPL program is a superuser.
- The current user who calls the SPL program has been granted the EXECUTE permission on the SPL program.
- The current user who calls the SPL program inherits the EXECUTE permission by becoming a member of the group that has been granted the EXECUTE permission on the SPL program.
- The EXECUTE permission has been granted to the PUBLIC group.
When the SPL program is created in PolarDB-O, the EXECUTE permission is granted to the PUBLIC group by default. Therefore, any user can execute the program.
REVOKE EXECUTE ON PROCEDURE list_emp FROM PUBLIC;
GRANT EXECUTE ON PROCEDURE list_emp TO john;
In this example, the user john can execute the list_emp program, but the users who do not meet the conditions listed at the beginning of this topic cannot execute the program.
- Read or modify data in tables and views.
- Create, modify, or delete database objects, such as tables, views, indexes, and sequences.
- Retrieve the current or next value from a sequence.
- Call another program, such as a function, stored procedure, or package.
You can ensure the security of operations by limiting the permissions on database objects.
Note that a database may have multiple objects that have the same name and type, but belong to different schemas. For more information about which object is to be referenced by an SPL program in this case, see the next topic.