This topic describes EXECUTE privileges.
An SPL program (function, stored procedure, or package) can be executed only if one of the following conditions is met:
- The current user has been granted the EXECUTE privilege on the SPL program.
- The current user inherits the EXECUTE privilege on the SPL program because the user is a member of a group that has this EXECUTE privilege.
- The EXECUTE privilege has been granted to the PUBLIC group.
When you create an SPL program in PolarDB for PostgreSQL(Compatible with Oracle), the EXECUTE privilege is automatically granted to the PUBLIC group by default. Therefore, a user can immediately execute the program.
You can run the REVOKEEXECUTE command to delete this default privilege, as shown in the following example:
REVOKE EXECUTE ON PROCEDURE list_emp FROM PUBLIC;
Then, the explicit EXECUTE privilege on the program can be granted to each user or a group.
GRANT EXECUTE ON PROCEDURE list_emp TO john;
At present, User john can execute the list_emp program. Other users who do not meet a condition listed at the beginning of this topic cannot execute this program.
After a program starts to be executed, the next aspect of security is what privilege checks occur if the program attempts to perform an action on a database object. The actions include:
- Reading or modifying table or view data
- Creating, modifying, or deleting a database object such as a table, view, index, or sequence
- Obtaining the current or next value from a sequence
- Calling another program (a function, stored procedure, or package)
On the database object, privileges that are allowed or disallowed for the user can protect each of these actions.