For grant commands that do not include predicates, the precedence rule of granted privileges with respect to the grantee, specifies that a grant at a higher level can remove a grant at a lower level. However, if the higher precedence grant is predicated, Adaptive Server generally retains lower-precedence rows in sysprotects.
In this example, the second non-predicated grant to public causes Adaptive Server to remove the earlier grant to an individual user1:
grant select on t1 to user1 grant select on t1 to public
However, grants with predicates allow grants that are lower in precedence to remain. For example, the first grant, below, to user1 is general, but the second grant to public on t1 is conditional. Adaptive Server does not remove the grant to user1, even though the grantee, public, has a higher precedence:
grant select on t1 to user1 grant select on t1 where col1 = 4 to public
In this example, the second grant is added but the privilege is recorded as conditional access on all columns in t1 except col1:
grant select on t1 (col1) to user2 grant select on t1 where col1 = 4 to user2
The first grant is not removed because it gives user2 unconditional access on column col1, which is stronger than the conditional access on col1 from the second grant.
