# Security & Permissions

This notebook demonstrates **security and permission management** in elastic-script.

## Features

- **GRANT** - Give permissions to roles or users
- **REVOKE** - Remove permissions from roles or users
- **CREATE ROLE** - Define named groups for permission assignment
- **SHOW PERMISSIONS** - View current permission grants

## 1. Creating Roles

Roles are named groups that permissions can be granted to. Use roles to organize access control.

In [None]:
-- Create a role for operators
CREATE ROLE operators DESCRIPTION 'Operations team for runbook execution'

In [None]:
-- Create a role for analysts
CREATE ROLE analysts DESCRIPTION 'Data analysts with read access'

In [None]:
-- Create an admin role
CREATE ROLE admin DESCRIPTION 'Administrative access'

## 2. Granting Permissions

Grant EXECUTE permission to allow roles or users to run procedures, functions, or packages.

In [None]:
-- Grant execute on a procedure to a role
GRANT EXECUTE ON PROCEDURE restart_service TO ROLE operators

In [None]:
-- Grant execute on a function
GRANT EXECUTE ON FUNCTION calculate_metrics TO ROLE analysts

In [None]:
-- Grant all privileges on a package
GRANT ALL PRIVILEGES ON PACKAGE admin_tools TO ROLE admin

In [None]:
-- Grant to a specific user
GRANT EXECUTE ON PROCEDURE backup_data TO USER 'john.doe@example.com'

## 3. Viewing Permissions

In [None]:
-- Show all permissions
SHOW PERMISSIONS

In [None]:
-- Show permissions for a specific role
SHOW PERMISSIONS FOR ROLE operators

In [None]:
-- Show role details
SHOW ROLE operators

## 4. Revoking Permissions

In [None]:
-- Revoke a permission
REVOKE EXECUTE ON PROCEDURE restart_service FROM ROLE operators

## 5. Managing Roles

In [None]:
-- Drop a role
DROP ROLE analysts

## Reference

### GRANT Syntax

```sql
GRANT privilege_list ON object_type object_name TO principal

-- Examples
GRANT EXECUTE ON PROCEDURE my_proc TO ROLE admin
GRANT EXECUTE ON FUNCTION my_func TO USER 'email@example.com'
GRANT ALL PRIVILEGES ON PACKAGE my_pkg TO ROLE superadmin
```

### REVOKE Syntax

```sql
REVOKE privilege_list ON object_type object_name FROM principal

-- Example
REVOKE EXECUTE ON PROCEDURE my_proc FROM ROLE guest
```

### Object Types

| Object Type | Description |
|-------------|-------------|
| `PROCEDURE` | Stored procedures |
| `FUNCTION` | User-defined functions |
| `PACKAGE` | Packages (includes all members) |
| `JOB` | Scheduled jobs |
| `TRIGGER` | Event triggers |

### Privileges

| Privilege | Description |
|-----------|-------------|
| `EXECUTE` | Permission to execute the object |
| `ALL PRIVILEGES` | All available permissions |