This topic describes EXECUTE privileges.

An SPL program (function, stored procedure, or package) can be executed only if one of the following conditions is met:

  • The current user has been granted the EXECUTE privilege on the SPL program.
  • The current user inherits the EXECUTE privilege on the SPL program because the user is a member of a group that has this EXECUTE privilege.
  • The EXECUTE privilege has been granted to the PUBLIC group.

When you create an SPL program in PolarDB O Edition, the EXECUTE privilege is automatically granted to the PUBLIC group by default. Therefore, a user can immediately execute the program.

You can run the REVOKEEXECUTE command to delete this default privilege, as shown in the following example:

REVOKE EXECUTE ON PROCEDURE list_emp FROM PUBLIC;

Then, the explicit EXECUTE privilege on the program can be granted to each user or a group.

GRANT EXECUTE ON PROCEDURE list_emp TO john;

At present, User john can execute the list_emp program. Other users who do not meet a condition listed at the beginning of this topic cannot execute this program.

After a program starts to be executed, the next aspect of security is what privilege checks occur if the program attempts to perform an action on a database object. The actions include:

  • Reading or modifying table or view data
  • Creating, modifying, or deleting a database object such as a table, view, index, or sequence
  • Obtaining the current or next value from a sequence
  • Calling another program (a function, stored procedure, or package)

On the database object, privileges that are allowed or disallowed for the user can protect each of these actions.

Note A database can have multiple objects that have the same type and name, but each of these objects belongs to a different schema in the database. For more information about which object is being referenced by an SPL program in this case, see Name resolution of database objects.