SQL - GRANT

Changes the permission of a role, granting it access to one or more resources. To remove access to a resource from the role, see the REVOKE command.

Syntax

GRANT [ <permission> | POLICY <policyName> ] ON <resource> TO <role>
  • <permission> Defines the permission you want to grant to the role.
  • <policyName> Defines the name of a security policy
  • <resource> Defines the resource on which you want to grant the permissions.
  • <role> Defines the role you want to grant the permissions.

Examples

  • Grant permission to update any record in the cluster account to the role backoffice:

    orientdb> GRANT UPDATE ON database.cluster.account TO backoffice
    
  • Bind a security policy called policy1 to Person class records, for the role backoffice:

    orientdb> GRANT POLICY policy1 ON database.class.Person TO backoffice
    

For more information, see

Supported Permissions

Using this command, you can grant the following permissions to a role.

PermissionDescription
NONEGrants no permissions on the resource.
CREATEGrants create permissions on the resource, such as the CREATE CLASS or CREATE CLUSTER commands.
READGrants read permissions on the resource, such as the SELECT query.
UPDATEGrants update permissions on the resource, such as the UPDATE or UPDATE EDGE commands.
DELETEGrants delete permissions on the resource, such as the DROP INDEX or DROP SEQUENCE commands.
ALLGrants all permissions on the resource.

Supported Resources

Using this command, you can grant permissions on the following resources.

ResourceDescription
databaseGrants access on the current database.
database.class.<class>Grants access on records contained in the indicated class. Use ** to indicate all classes.
database.class.<class>.<property>Grants access on a single property in the indicated class. Use ** to indicate all classes and/or all properties (this is intended only for security policies)
database.cluster.<cluster>Grants access to records contained in the indicated cluster. Use ** to indicate all clusters.
database.queryGrants the ability to execute a query, (READ is sufficient).
database.command.<command>Grants the ability to execute the given command. Use CREATE for INSERT, READ for SELECT, UPDATE for UPDATE and DELETE for DELETE.
database.config.<permission>Grants access to the configuration. Valid permissions are READ and UPDATE.
database.hook.recordGrants the ability to set hooks.
server.adminGrants the ability to access server resources.

Policy assignment is supported for records only, so you can assign security policies to class and property resources