a particular
object vary depending on the object's type (table, function, etc.).
More detail about the meanings of these privileges appears below.
The following sections and chapters will also show you how
these privileges are used.
</para>
<para>
The right to modify or destroy an object is inherent in being the
object's owner, and cannot be granted or revoked in itself.
(However, like all privileges, that right can be inherited by
members of the owning role; see <xref linkend="role-membership"/>.)
</para>
<para>
An object can be assigned to a new owner with an <command>ALTER</command>
command of the appropriate kind for the object, for example
<programlisting>
ALTER TABLE <replaceable>table_name</replaceable> OWNER TO <replaceable>new_owner</replaceable>;
</programlisting>
Superusers can always do this; ordinary roles can only do it if they are
both the current owner of the object (or inherit the privileges of the
owning role) and able to <literal>SET ROLE</literal> to the new owning role.
</para>
<para>
To assign privileges, the <xref linkend="sql-grant"/> command is
used. For example, if <literal>joe</literal> is an existing role, and
<literal>accounts</literal> is an existing table, the privilege to
update the table can be granted with:
<programlisting>
GRANT UPDATE ON accounts TO joe;
</programlisting>
Writing <literal>ALL</literal> in place of a specific privilege grants all
privileges that are relevant for the object type.
</para>
<para>
The special <quote>role</quote> name <literal>PUBLIC</literal> can
be used to grant a privilege to every role on the system. Also,
<quote>group</quote> roles can be set up to help manage privileges when
there are many users of a database — for details see
<xref linkend="user-manag"/>.
</para>
<para>
To revoke a previously-granted privilege, use the fittingly named
<xref linkend="sql-revoke"/> command:
<programlisting>
REVOKE ALL ON accounts FROM PUBLIC;
</programlisting>
</para>
<para>
Ordinarily, only the object's owner (or a superuser) can grant or
revoke privileges on an object. However, it is possible to grant a
privilege <quote>with grant option</quote>, which gives the recipient
the right to grant it in turn to others. If the grant option is
subsequently revoked then all who received the privilege from that
recipient (directly or through a chain of grants) will lose the
privilege. For details see the <xref linkend="sql-grant"/> and
<xref linkend="sql-revoke"/> reference pages.
</para>
<para>
An object's owner can choose to revoke their own ordinary privileges,
for example to make a table read-only for themselves as well as others.
But owners are always treated as holding all grant options, so they
can always re-grant their own privileges.
</para>
<para>
The available privileges are:
<variablelist>
<varlistentry id="ddl-priv-select">
<term><literal>SELECT</literal></term>
<listitem>
<para>
Allows <command>SELECT</command> from
any column, or specific column(s), of a table, view, materialized
view, or other table-like object.
Also allows use of <command>COPY TO</command>.
This privilege is also needed to reference existing column values in
<command>UPDATE</command>, <command>DELETE</command>,
or <command>MERGE</command>.
For sequences, this privilege also allows use of the
<function>currval</function> function.
For large objects, this privilege allows the object to be read.
</para>
</listitem>
</varlistentry>
<varlistentry id="ddl-priv-insert">
<term><literal>INSERT</literal></term>
<listitem>
<para>
Allows <command>INSERT</command> of a new row into a table, view,
etc. Can be granted on specific column(s), in which case
only those columns may be assigned to in the <command>INSERT</command>