Rechercher dans le manuel MySQL
13.7.6.21 SHOW GRANTS Syntax
- SHOW GRANTS
- [FOR user_or_role
- user_or_role: {
- | role (see Section 6.2.5, “Specifying Role Names”.
- }
This statement displays the privileges and roles that are
assigned to a MySQL user account or role, in the form of
GRANT
statements that must be
executed to duplicate the privilege and role assignments.
To display nonprivilege information for MySQL accounts, use
the SHOW CREATE USER
statement.
See Section 13.7.6.12, “SHOW CREATE USER Syntax”.
SHOW GRANTS
requires the
SELECT
privilege for the
mysql
system database, except to display
privileges and roles for the current user.
To name the account or role for SHOW
GRANTS
, use the same format as for the
GRANT
statement (for example,
'jeffrey'@'localhost'
):
- +------------------------------------------------------------------+
- | Grants for jeffrey@localhost |
- +------------------------------------------------------------------+
- +------------------------------------------------------------------+
The host part, if omitted, defaults to '%'
.
For additional information about specifying account and role
names, see Section 6.2.4, “Specifying Account Names”, and
Section 6.2.5, “Specifying Role Names”.
To display the privileges granted to the current user (the account you are using to connect to the server), you can use any of the following statements:
- SHOW GRANTS;
If SHOW GRANTS FOR CURRENT_USER
(or any of
the equivalent syntaxes) is used in definer context, such as
within a stored procedure that executes with definer rather than
invoker privileges, the grants displayed are those of the
definer and not the invoker.
In MySQL 8.0 compared to previous series,
SHOW GRANTS
no longer displays
ALL PRIVILEGES
in
its global-privileges output because the meaning of
ALL PRIVILEGES
at
the global level varies depending on which dynamic privileges
are defined. Instead, SHOW GRANTS
explictly lists each granted global privilege:
- +---------------------------------------------------------------------+
- | Grants for root@localhost |
- +---------------------------------------------------------------------+
- +---------------------------------------------------------------------+
Applications that process SHOW
GRANTS
output should be adjusted accordingly.
At the global level, GRANT OPTION
applies to all granted static global privileges if granted for
any of them, but applies individually to granted dynamic
privileges. SHOW GRANTS
displays
global privileges this way:
One line listing all granted static privileges, if there are any, including
WITH GRANT OPTION
if appropriate.One line listing all granted dynamic privileges for which
GRANT OPTION
is granted, if there are any, includingWITH GRANT OPTION
.One line listing all granted dynamic privileges for which
GRANT OPTION
is not granted, if there are any, withoutWITH GRANT OPTION
.
With the optional USING
clause,
SHOW GRANTS
enables you to
examine the privileges associated with roles for the user. Each
role named in the USING
clause must be
granted to the user.
Suppose that user u1
is assigned roles
r1
and r2
, as follows:
SHOW GRANTS
without
USING
shows the granted roles:
- +---------------------------------------------+
- | Grants for u1@localhost |
- +---------------------------------------------+
- +---------------------------------------------+
Adding a USING
clause causes the statement to
also display the privileges associated with each role named in
the clause:
- +---------------------------------------------+
- | Grants for u1@localhost |
- +---------------------------------------------+
- +---------------------------------------------+
- +-------------------------------------------------------------+
- | Grants for u1@localhost |
- +-------------------------------------------------------------+
- +-------------------------------------------------------------+
- +---------------------------------------------------------------------+
- | Grants for u1@localhost |
- +---------------------------------------------------------------------+
- +---------------------------------------------------------------------+
A privilege granted to an account is always in effect, but a
role is not. The active roles for an account can differ across
and within sessions, depending on the value of the
activate_all_roles_on_login
system variable, the account default roles, and whether
SET ROLE
has been executed
within a session.
MySQL 8.0.16 and higher supports partial revokes of global
privileges, such that a global privilege can be restricted from
applying to particular schemas (see
Section 6.2.12, “Privilege Restriction Using Partial Revokes”). To indicate which global
schema privileges have been revoked for particular schemas,
SHOW GRANTS
output includes
REVOKE
statements:
- +--------------------------------------------------+
- | Grants for u1@% |
- +--------------------------------------------------+
- +--------------------------------------------------+
SHOW GRANTS
does not display
privileges that are available to the named account but are
granted to a different account. For example, if an anonymous
account exists, the named account might be able to use its
privileges, but SHOW GRANTS
does
not display them.
SHOW GRANTS
displays mandatory
roles named in the
mandatory_roles
system variable
value as follows:
SHOW GRANTS
without aFOR
clause displays privileges for the current user, and includes mandatory roles.SHOW GRANTS FOR
displays privileges for the named user, and does not include mandatory roles.user
This behavior is for the benefit of applications that use the
output of SHOW
GRANTS FOR
to
determine which privileges are granted explicitly to the named
user. Were that output to include mandatory roles, it would be
difficult to distinguish roles granted explicitly to the user
from mandatory roles.
user
For the current user, applications can determine privileges with
or without mandatory roles by using SHOW
GRANTS
or
SHOW GRANTS FOR
CURRENT_USER
, respectively.
Document created the 26/06/2006, last modified the 26/10/2018
Source of the printed document:https://www.gaudry.be/en/mysql-rf-show-grants.html
The infobrol is a personal site whose content is my sole responsibility. The text is available under CreativeCommons license (BY-NC-SA). More info on the terms of use and the author.
References
These references and links indicate documents consulted during the writing of this page, or which may provide additional information, but the authors of these sources can not be held responsible for the content of this page.
The author This site is solely responsible for the way in which the various concepts, and the freedoms that are taken with the reference works, are presented here. Remember that you must cross multiple source information to reduce the risk of errors.