Wednesday, June 27, 2012

SQL Data Control Language (DCL) Tutorial

Posted by on Wednesday, June 27, 2012 Read our previous post
After doing tutorials on DML (Data Manipulation Language) and DDL (Data Definition Language), we will be learning about one more language used in SQL called the Data Control Language (DCL).

As we saw in our previous tutorials on SQL, that with the help of DDL we can define tables, databases, views etc in SQL and with the help of DML we can manipulate those existing tables, views etc. So apart from these there are other language(s) like the DCL which help us to give or take rights to a user. 

Basically, DCL is used to create roles, permissions, and referential integrity as well it is used to control access to database by securing it.

The DCL commands that helps in achieving the above are GRANT and REVOKE.

Only Database Administrator's or owner's of the database object can provide/remove privileges on a databse object.


SQL GRANT is a command used to provide access or privileges on the database objects to the users.

The Syntax for the GRANT command is:
GRANT privilege_name 
ON object_name 
TO {user_name |PUBLIC |role_name} 
  • privilege_name is the access right or privilege granted to the user. Some of the access rights are ALL, EXECUTE, and SELECT.
  • object_name is the name of an database object like TABLE, VIEW, STORED PROC and SEQUENCE.
  • user_name is the name of the user to whom an access right is being granted.
  • user_name is the name of the user to whom an access right is being granted.
  • PUBLIC is used to grant access rights to all users.
  • ROLES are a set of privileges grouped together.
For Eample: GRANT SELECT ON employee TO user1;This command grants a SELECT permission on employee table to user1.


The REVOKE command removes user access rights or privileges to the database objects.

The Syntax for the REVOKE command is:

REVOKE privilege_name 
ON object_name 
FROM {user_name |PUBLIC |role_name} 

For Example:

REVOKE SELECT ON employee FROM user1;This commmand will REVOKE a SELECT privilege on employee table from user1.When you REVOKE SELECT privilege on a table from a user, the user will not be able to SELECT data from that table anymore. However, if the user has received SELECT privileges on that table from more than one users, he/she can SELECT from that table until everyone who granted the permission revokes it. You cannot REVOKE privileges if they were not initially granted by you.

Privileges and Roles

Privileges: Privileges defines the access rights provided to a user on a database object. There are two types of privileges.

1) System privileges - This allows the user to CREATE, ALTER, or DROP database objects. 

2) Object privileges - This allows the user to EXECUTE, SELECT, INSERT, UPDATE, or DELETE data from database objects to which the privileges apply. 

Few CREATE system privileges are listed below:

System PrivilegesDescription
CREATE objectallows users to create the specified object in their own schema.
CREATE ANY objectallows users to create the specified object in any schema.

The above rules also apply for ALTER and DROP system privileges.

Few of the object privileges are listed below:

Object PrivilegesDescription
allows users to insert rows into a table.
allows users to select data from a database object.
allows user to update data in a table.
allows user to execute a stored procedure or a function.

Roles: Roles are a collection of privileges or access rights. When there are many users in a database it becomes difficult to grant or revoke privileges to users. Therefore, if you define roles, you can grant or revoke privileges to users, thereby automatically granting or revoking privileges. You can either create Roles or use the system roles pre-defined by oracle.

Some of the privileges granted to the system roles are as given below:
System RolePrivileges Granted to the Role
RESOURCECREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER etc. The primary usage of the RESOURCE role is to restrict access to database objects.

Creating Roles

The Syntax to create a role is:

CREATE ROLE role_name 
[IDENTIFIED BY password]; 

For example: 

To create a role called "developer" with password as "pwd",the code will be as follows

CREATE ROLE testing 

It's easier to GRANT or REVOKE privileges to the users through a role rather than assigning a privilege directly to every user. If a role is identified by a password, then, when you GRANT or REVOKE privileges to the role, you definitely have to identify it with the password.

We can GRANT or REVOKE privilege to a role as below.

To grant CREATE TABLE privilege to a user by creating a testing role:

First, create a testing Role


Second, grant a CREATE TABLE privilege to the ROLE testing. You can add more privileges to the ROLE.
Third, grant the role to a user.

GRANT testing TO user1;

To revoke a CREATE TABLE privilege from testing ROLE, you can write:


The Syntax to drop a role from the database is as below:

DROP ROLE role_name;

For example: To drop a role called developer, you can write:

DROP ROLE testing;

© 2010 Code 2 Learn