Home/ Questions/Q 7894637
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T07:26:48+00:00

Question: How can I give a new user almost all privileges, but still keep

  • 0

Question:

How can I give a new user almost all privileges, but still keep one or more tables/databases protected from them.

Details:

If I have one database,

  • life

And three tables

  • passwords
  • friends
  • hobbies

How do I give this user, for example, the following privileges:

  • INSERT
  • UPDATE
  • DELETE
  • CREATE
  • DROP
  • ALTER

With respect to the first three, I would start with something like so:

GRANT INSERT, UPDATE, DELETE ON life.friends TO username@'localhost' IDENTIFIED BY 'password';
GRANT INSERT, UPDATE, DELETE ON life.hobbies TO username@'localhost' IDENTIFIED BY 'password';

But I am confused as to how to use CREATE and DROP. If I grant drop privileges on the whole database like so:

GRANT DROP ON life TO username@'localhost' IDENTIFIED BY 'password';

Then the user can drop the passwords table, which I do not want. I could instead grant it based on tables like so:

GRANT DROP ON life.friends TO username@'localhost' IDENTIFIED BY 'password';
GRANT DROP ON life.hobbies TO username@'localhost' IDENTIFIED BY 'password';

But then what happens if I grant CREATE privileges like so:

GRANT CREATE ON life TO username@'localhost' IDENTIFIED BY 'password';

Does that mean that the user can not even delete the very tables he/she creates? My question also relates to creating/dropping databases. What if I want to allow the user to create and drop as many of their own databases, but not the life database?

Should I instead change my approach by moving the passwords table into another database?

Thank you in advanced.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    An alternative to @TheScrumMeister’s suggestion of using separate databases would be to define a procedure that wraps CREATE TABLE, but also grants the invoking user the DROP permission on it:

    DELIMITER ;;

CREATE PROCEDURE create_table(
  tbl_name VARCHAR(64) -- maximum length of a table name
) BEGIN
  DECLARE EXIT HANDLER FOR SQLEXCEPTION ROLLBACK;
  START TRANSACTION;
    SET @usr = SUBSTRING_INDEX(USER(), '@', 1);  -- invoking username
    SET @tbl = REPLACE(tbl_name, "`", "``");     -- prevent SQL injection

    -- just create some dummy table initially - the user can modify it after
    SET @qry = CONCAT("
      CREATE TABLE `", @tbl, "` (
        id INT NOT NULL AUTO_INCREMENT PRIMARY KEY
      );
    ");
    PREPARE stmt FROM  @qry;
    EXECUTE stmt;
    DEALLOCATE PREPARE stmt;

    -- now grant DROP to the invoking user but only from localhost
    SET @qry = CONCAT("
      GRANT DROP ON life.`", @tbl, "`
      TO CONCAT(?, \"@'localhost'\") IDENTIFIED BY 'password';
    ");
    PREPARE stmt FROM  @qry;
    EXECUTE stmt USING @usr;
    DEALLOCATE PREPARE stmt;

    -- clean up
    SET @qry = NULL;
    SET @usr = NULL;
  COMMIT;
END;;

DELIMITER ;

    To be certain that the user doesn’t create tables any other way, they should not have the CREATE TABLE privilege.

    You could do something similar for databases too.

    • 0