Database Reference
In-Depth Information
Figure 23.11
ASSISTANT
Failed to Create
MATTHEW, but
INTERN Created
BETH.
Now, as the DBA, you decide that your assistant does not need to create
users at this point, so you revoke the CREATE USER privilege from
ASSISTANT.
ASSISTANT can no longer create users; however, the users she created
still exist. And, INTERN, who received the system privilege CREATE
USER from ASSISTANT, retains that privilege. Figure 23.11 illustrates this
idea by showing that ASSISTANT cannot create a user, while INTERN
can create a user.
23.2.2.2
Revoked Object Privileges DO Cascade
Revoking an object privilege does result in a cascading set of revoked privi-
leges. For example, imagine that SYSTEM grants SELECT on
MUSIC.ARTIST to ASSISTANT using the WITH GRANT OPTION
clause. Then ASSISTANT grants the same object privilege to INTERN
who in turn grants the privilege (without the WITH GRANT OPTION)
to JOE. Figure 23.12 shows the scenario.
After careful thought, you decide that your assistant no longer requires
the SELECT privilege on the MUSIC.ARTIST table, so you revoke the
privilege. The revoke actually cascades and revokes the privilege from
INTERN, and then it cascades again and revokes the privilege from JOE.
