Granting and revoking permissions
As you saw in Chapter 3, Managing Users and Connections, a role is associated with a collection of permissions, which are provided by means of a GRANT statement and removed by means of a REVOKE statement. Permissions are stored internally as ACLs, as you saw in the previous section.
This section revisits the GRANT and REVOKE statements to better help you understand how to use them, with respect to different database objects.
The GRANT statement has the following synopsis:
GRANT <permission, permission, ...> ON <database-object> TO <role>;
Here, you list all the permissions you want to associate with the target role for the specified database object. It is also possible to extend the GRANT statement with the WITH GRANT OPTION clause, which will cause the target role to be able to grant the same permissions it has received to another role.
The REVOKE statement has a similar synopsis:
REVOKE <permission,...
