Re: GRANT/REVOKE: Allow column-level privileges

> 3) For every privilege descriptor in CPD whose action is
> INSERT, UPDATE,
> or REFERENCES without a column name, privilege descriptors are also
> created and added to CPD for each column C in O for which
> A holds the
> corresponding privilege with grant option. For each such column, a
> privilege descriptor is created that specifies the
> identical <grantee>,
> the identical <action>, object C, and grantor A.
>
> 4) For every privilege descriptor in CPD whose action is
> SELECT without a
> column name or method name, privilege descriptors are also
> created and
> added to CPD for each column C in O for which A holds the
> corresponding
> privilege with grant option. For each such column, a privilege
> descriptor is created that specifies the identical <grantee>, the
> identical <action>, object C, and grantor A.
>
> As I read it, granting a table-level privilege is equivalent
> to repeating the appropriate column-level privilege for all
> columns. In other words:
>
> For this table:
>
> CREATE TABLE tab (c1 int, c2 int, c3 int);
>
> This statement:
> GRANT SELECT ON tab TO grantee;
>
> ...also implies:
>
> GRANT SELECT (c1) ON tab TO grantee;
> GRANT SELECT (c2) ON tab TO grantee;
> GRANT SELECT (c3) ON tab TO grantee;
>
> This means that after the following, the grantee should have
> no privileges on tab.c1 (but should retain them on tab.c2, tab.c3):
>
> GRANT SELECT ON tab TO grantee;
> REVOKE SELECT (c1) ON tab FROM grantee;

I don't (do not want to) read that conclusion from above paragraphs,
anyone else ?
My reasoning is, that you can only revoke what has previously been
granted.

e.g. grant dba to grantee;
cannot be revoked with: revoke select on tab from grantee; for that
table

I think the paragraphs have only been added to understand what rights
you have on
each column.

Andreas