An SPL program (including functions, stored procedures, and packages) can be executed only when any of the following conditions is true.

  • The current user who calls the SPL program is a superuser.
  • The current user who calls the SPL program has been granted the EXECUTE permission on the SPL program.
  • The current user who calls the SPL program inherits the EXECUTE permission by becoming a member of the group that has been granted the EXECUTE permission on the SPL program.
  • The EXECUTE permission has been granted to the PUBLIC group.

When the SPL program is created in PolarDB, the EXECUTE permission is granted to the PUBLIC group by default. Therefore, any user can execute the program.

You can remove the default setting by running the REVOKE EXECUTE command. For more information, see REVOKE command. The following code provides an example of the command:
REVOKE EXECUTE ON PROCEDURE list_emp FROM PUBLIC;
You can grant the EXECUTE permission on the SPL program to the specified user or group.
GRANT EXECUTE ON PROCEDURE list_emp TO john;

In this example, the user john can execute the list_emp program, but the users who do not meet the conditions listed at the beginning of this topic cannot execute the program.

After a program starts execution, permission checks are required before you perform any of the following operations on database objects:
  • Read or modify data in tables and views.
  • Create, modify, or delete database objects, such as tables, views, indexes, and sequences.
  • Retrieve the current or next value from a sequence.
  • Call another program, such as a function, stored procedure, or package.

You can ensure the security of operations by limiting the permissions on database objects.

Note that a database may have multiple objects that have the same name and type, but belong to different schemas. For more information about which object is to be referenced by an SPL program in this case, see the next topic.