@@ -8,8 +8,8 @@ Tarantool enables flexible management of access to various database resources.
88The main concepts of Tarantool access control system are as follows:
99
1010* A *user * is a person or program that interacts with a Tarantool instance.
11- * An *object * is an entity to which access can be granted, for example, spaces, indexes , or functions .
12- * * Privileges * allow a user to perform certain operations on specific objects, for example, creating spaces, reading or updating data.
11+ * An *object * is an entity to which access can be granted, for example, a space, an index , or a function .
12+ * A * privilege * allows a user to perform certain operations on specific objects, for example, creating spaces, reading or updating data.
1313* A *role * is a named collection of privileges that can be granted to a user.
1414
1515
@@ -136,7 +136,7 @@ Roles can also be assigned to other roles, creating a role hierarchy.
136136There are the following built-in roles in Tarantool:
137137
138138* ``super `` has all available administrative permissions.
139- * ``public `` is automatically granted to new users when they are created.
139+ * ``public `` has certain read permissions. This role is automatically granted to new users when they are created.
140140* ``replication `` can be granted to a user used to maintain :ref: `replication <replication_overview >` in a cluster.
141141* ``sharding `` can be granted to a user used to maintain :ref: `sharding <sharding >` in a cluster.
142142
@@ -649,6 +649,8 @@ In the example below, ``testuser`` gets privileges allowing them to create :ref:
649649 box.schema.user.grant('testuser','write', 'space', '_schema')
650650 box.schema.user.grant('testuser','write', 'space', '_space')
651651
652+ write `` access to certain system spaces.
653+
652654To allow ``testuser `` to drop a space that has associated objects, add the following privileges:
653655
654656.. code-block :: lua
@@ -852,13 +854,12 @@ Similarly, executing an arbitrary SQL expression requires the ``execute`` privil
852854Example
853855~~~~~~~
854856
855- In the example below, the created Lua function is executed under the user ID of its
857+ In the example below, the :ref: ` created Lua function < box_schema-func_create >` is executed on behalf of its
856858creator, even if called by another user.
857859
858860First, the two spaces (``space1 `` and ``space2 ``) are created, and a no-password user (``private_user ``)
859- is granted full access to them. Then ``read_and_modify `` is defined and the
860- no-password user becomes this function's creator. Finally, another user
861- (``public_user ``) is granted access to execute Lua functions created by the no-password user.
861+ is granted full access to them. Then ``read_and_modify `` is defined and ``private_user `` becomes this function's creator.
862+ Finally, another user (``public_user ``) is granted access to execute Lua functions created by ``private_user ``.
862863
863864.. code-block :: lua
864865
@@ -891,6 +892,8 @@ no-password user becomes this function's creator. Finally, another user
891892 box.schema.user.create('public_user', {password = 'secret'})
892893 box.schema.user.grant('public_user', 'execute', 'function', 'read_and_modify')
893894
895+ public_user `` calls the function, it is executed on behalf of its creator, ``private_user ``.
896+
894897
895898
896899
0 commit comments