DCL (Data Control Language) is the subset of SQL used to manage who can do what on the database. It governs permissions rather than data or structure. The keywords are:
- GRANT — give a user or a role specific privileges on a database object.
- REVOKE — take privileges away.
A typical use:
GRANT SELECT, INSERT ON onq.students TO 'reporting_user'@'localhost';
REVOKE INSERT ON onq.students FROM 'reporting_user'@'localhost';The first grants read and insert privileges on the students table to a particular user. The second takes back the insert privilege, leaving them read-only.
Privileges can be granted at multiple granularities: on a specific column, on a specific table, on a specific database, or globally. They can also be granted to roles — named bundles of privileges that can be assigned to many users at once.
DCL is what makes shared databases safe to use. Without it, every user with login access could do anything to any table, and a mistake in one application could damage another’s data. With it, the principle of least privilege applies: each user gets exactly the privileges their job requires and nothing more.
The other three SQL sub-languages — DDL for structure, DML for data, TCL for transactions — handle different concerns. DCL is specifically about access control.