This topic describes EXECUTE privileges.
An SPL program (function, stored procedure, or package) can be executed only if one of the following conditions is met:
- The current user has been granted the EXECUTE privilege on the SPL program.
- The current user inherits the EXECUTE privilege on the SPL program because the user is a member of a group that has this EXECUTE privilege.
- The EXECUTE privilege has been granted to the PUBLIC group.
When you create an SPL program in PolarDB-O, the EXECUTE privilege is automatically granted to the PUBLIC group by default. Therefore, a user can immediately execute the program.
You can run the REVOKEEXECUTE command to delete this default privilege, as shown in the following example:
REVOKE EXECUTE ON PROCEDURE list_emp FROM PUBLIC;
Then, the explicit EXECUTE privilege on the program can be granted to each user or a group.
GRANT EXECUTE ON PROCEDURE list_emp TO john;
At present, User john can execute the list_emp program. Other users who do not meet a condition listed at the beginning of this topic cannot execute this program.
After a program starts to be executed, the next aspect of security is what privilege checks occur if the program attempts to perform an action on a database object. The actions include:
- Reading or modifying table or view data
- Creating, modifying, or deleting a database object such as a table, view, index, or sequence
- Obtaining the current or next value from a sequence
- Calling another program (a function, stored procedure, or package)
On the database object, privileges that are allowed or disallowed for the user can protect each of these actions.