Comments on: Grant, Revoke, Grant, Revoke: Help my db

Question: Grant, Revoke, Grant, Revoke: Help my db

Robert Angelo — Wed, 24 Jan 2007 10:31:12 -0800

Help me restrict MySQL privileges for a particular table without screwing up access to the rest of the database.

User 'soandso' was set up initially with the command on the lines of GRANT ALL PRIVILGES ON db.* TO soandso@suchandsuch IDENTIFIED BY whatever. Now I want to revoke UPDATE and INSERT privileges for this person on one table, without affecting his rights to UPDATE and INSERT on the other tables in the database.

How do I do this? I tried doing a REVOKE INSERT, UPDATE ON db.tablename FROM soandso. I did FLUSH PRIVILEGES. Then I tested this by connecting as user 'soandso' and trying to insert a row -- and voila, it inserts.

What am I missing? Do the privileges for the db override the privileges for the table? In other words, do I need to revoke all, then grant the privileges separately for each and every table? [that would be a pain]. What next?

By: Khalad

Khalad — Wed, 24 Jan 2007 10:47:20 -0800

Yep, global privileges override database-level privileges, which override table-level privileges, which in turn override column-level privileges. Permissions are ORed together.

By: Robert Angelo

Robert Angelo — Wed, 24 Jan 2007 11:09:16 -0800

Thanks, Khalad. That's exactly what I was suspecting, though I couldn't find it in the MySQL docs. Maybe I wasn't looking in the right place... I'll find another way to work through this for my user.