apache · LucaCappelletti94 · Jan 31, 2026 · Jan 31, 2026 · Jan 31, 2026
diff --git a/src/ast/dcl.rs b/src/ast/dcl.rs
@@ -29,7 +29,10 @@ use serde::{Deserialize, Serialize};
 use sqlparser_derive::{Visit, VisitMut};
 
 use super::{display_comma_separated, Expr, Ident, Password, Spanned};
-use crate::ast::{display_separated, ObjectName};
+use crate::ast::{
+    display_separated, CascadeOption, CurrentGrantsKind, GrantObjects, Grantee, ObjectName,
+    Privileges,
+};
 use crate::tokenizer::Span;
 
 /// An option in `ROLE` statement.
@@ -427,3 +430,99 @@ impl Spanned for CreateRole {
         Span::empty()
     }
 }
+
+/// GRANT privileges ON objects TO grantees
+#[derive(Debug, Clone, PartialEq, PartialOrd, Eq, Ord, Hash)]
+#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "visitor", derive(Visit, VisitMut))]
+pub struct Grant {
+    /// Privileges being granted.
+    pub privileges: Privileges,
+    /// Optional objects the privileges apply to.
+    pub objects: Option<GrantObjects>,
+    /// List of grantees receiving the privileges.
+    pub grantees: Vec<Grantee>,
+    /// Whether `WITH GRANT OPTION` is present.
+    pub with_grant_option: bool,
+    /// Optional `AS GRANTOR` identifier.
+    pub as_grantor: Option<Ident>,
+    /// Optional `GRANTED BY` identifier.
+    ///
+    /// [BigQuery](https://cloud.google.com/bigquery/docs/reference/standard-sql/dcl-statements)
+    pub granted_by: Option<Ident>,
+    /// Optional `CURRENT GRANTS` modifier.
+    ///
+    /// [Snowflake](https://docs.snowflake.com/en/sql-reference/sql/grant-privilege)
+    pub current_grants: Option<CurrentGrantsKind>,
+}
+
+impl fmt::Display for Grant {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        write!(f, "GRANT {privileges}", privileges = self.privileges)?;
+        if let Some(ref objects) = self.objects {
+            write!(f, " ON {objects}")?;
+        }
+        write!(f, " TO {}", display_comma_separated(&self.grantees))?;
+        if let Some(ref current_grants) = self.current_grants {
+            write!(f, " {current_grants}")?;
+        }
+        if self.with_grant_option {
+            write!(f, " WITH GRANT OPTION")?;
+        }
+        if let Some(ref as_grantor) = self.as_grantor {
+            write!(f, " AS {as_grantor}")?;
+        }
+        if let Some(ref granted_by) = self.granted_by {
+            write!(f, " GRANTED BY {granted_by}")?;
+        }
+        Ok(())
+    }
+}
+
+impl From<Grant> for crate::ast::Statement {
+    fn from(v: Grant) -> Self {
+        crate::ast::Statement::Grant(v)
+    }
+}
+
+/// REVOKE privileges ON objects FROM grantees
+#[derive(Debug, Clone, PartialEq, PartialOrd, Eq, Ord, Hash)]
+#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "visitor", derive(Visit, VisitMut))]
+pub struct Revoke {
+    /// Privileges to revoke.
+    pub privileges: Privileges,
+    /// Optional objects from which to revoke.
+    pub objects: Option<GrantObjects>,
+    /// Grantees affected by the revoke.
+    pub grantees: Vec<Grantee>,
+    /// Optional `GRANTED BY` identifier.
+    ///
+    /// [BigQuery](https://cloud.google.com/bigquery/docs/reference/standard-sql/dcl-statements)
+    pub granted_by: Option<Ident>,
+    /// Optional `CASCADE`/`RESTRICT` behavior.
+    pub cascade: Option<CascadeOption>,
+}
+
+impl fmt::Display for Revoke {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        write!(f, "REVOKE {privileges}", privileges = self.privileges)?;
+        if let Some(ref objects) = self.objects {
+            write!(f, " ON {objects}")?;
+        }
+        write!(f, " FROM {}", display_comma_separated(&self.grantees))?;
+        if let Some(ref granted_by) = self.granted_by {
+            write!(f, " GRANTED BY {granted_by}")?;
+        }
+        if let Some(ref cascade) = self.cascade {
+            write!(f, " {cascade}")?;
+        }
+        Ok(())
+    }
+}
+
+impl From<Revoke> for crate::ast::Statement {
+    fn from(v: Revoke) -> Self {
+        crate::ast::Statement::Revoke(v)
+    }
+}
diff --git a/src/ast/ddl.rs b/src/ast/ddl.rs
@@ -5120,3 +5120,194 @@ impl Spanned for AlterOperatorClass {
         Span::empty()
     }
 }
+
+/// CREATE POLICY statement.
+///
+/// See [PostgreSQL](https://www.postgresql.org/docs/current/sql-createpolicy.html)
+#[derive(Debug, Clone, PartialEq, PartialOrd, Eq, Ord, Hash)]
+#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "visitor", derive(Visit, VisitMut))]
+pub struct CreatePolicy {
+    /// Name of the policy.
+    pub name: Ident,
+    /// Table the policy is defined on.
+    #[cfg_attr(feature = "visitor", visit(with = "visit_relation"))]
+    pub table_name: ObjectName,
+    /// Optional policy type (e.g., `PERMISSIVE` / `RESTRICTIVE`).
+    pub policy_type: Option<CreatePolicyType>,
+    /// Optional command the policy applies to (e.g., `SELECT`).
+    pub command: Option<CreatePolicyCommand>,
+    /// Optional list of grantee owners.
+    pub to: Option<Vec<Owner>>,
+    /// Optional expression for the `USING` clause.
+    pub using: Option<Expr>,
+    /// Optional expression for the `WITH CHECK` clause.
+    pub with_check: Option<Expr>,
+}
+
+impl fmt::Display for CreatePolicy {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        write!(
+            f,
+            "CREATE POLICY {name} ON {table_name}",
+            name = self.name,
+            table_name = self.table_name,
+        )?;
+        if let Some(ref policy_type) = self.policy_type {
+            write!(f, " AS {policy_type}")?;
+        }
+        if let Some(ref command) = self.command {
+            write!(f, " FOR {command}")?;
+        }
+        if let Some(ref to) = self.to {
+            write!(f, " TO {}", display_comma_separated(to))?;
+        }
+        if let Some(ref using) = self.using {
+            write!(f, " USING ({using})")?;
+        }
+        if let Some(ref with_check) = self.with_check {
+            write!(f, " WITH CHECK ({with_check})")?;
+        }
+        Ok(())
+    }
+}
+
+/// Policy type for a `CREATE POLICY` statement.
+/// ```sql
+/// AS [ PERMISSIVE | RESTRICTIVE ]
+/// ```
+/// [PostgreSQL](https://www.postgresql.org/docs/current/sql-createpolicy.html)
+#[derive(Debug, Clone, Copy, PartialEq, PartialOrd, Eq, Ord, Hash)]
+#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "visitor", derive(Visit, VisitMut))]
+pub enum CreatePolicyType {
+    /// Policy allows operations unless explicitly denied.
+    Permissive,
+    /// Policy denies operations unless explicitly allowed.
+    Restrictive,
+}
+
+impl fmt::Display for CreatePolicyType {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        match self {
+            CreatePolicyType::Permissive => write!(f, "PERMISSIVE"),
+            CreatePolicyType::Restrictive => write!(f, "RESTRICTIVE"),
+        }
+    }
+}
+
+/// Command that a policy can apply to (FOR clause).
+/// ```sql
+/// FOR [ALL | SELECT | INSERT | UPDATE | DELETE]
+/// ```
+/// [PostgreSQL](https://www.postgresql.org/docs/current/sql-createpolicy.html)
+#[derive(Debug, Clone, Copy, PartialEq, PartialOrd, Eq, Ord, Hash)]
+#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "visitor", derive(Visit, VisitMut))]
+pub enum CreatePolicyCommand {
+    /// Applies to all commands.
+    All,
+    /// Applies to SELECT.
+    Select,
+    /// Applies to INSERT.
+    Insert,
+    /// Applies to UPDATE.
+    Update,
+    /// Applies to DELETE.
+    Delete,
+}
+
+impl fmt::Display for CreatePolicyCommand {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        match self {
+            CreatePolicyCommand::All => write!(f, "ALL"),
+            CreatePolicyCommand::Select => write!(f, "SELECT"),
+            CreatePolicyCommand::Insert => write!(f, "INSERT"),
+            CreatePolicyCommand::Update => write!(f, "UPDATE"),
+            CreatePolicyCommand::Delete => write!(f, "DELETE"),
+        }
+    }
+}
+
+/// DROP POLICY statement.
+///
+/// See [PostgreSQL](https://www.postgresql.org/docs/current/sql-droppolicy.html)
+#[derive(Debug, Clone, PartialEq, PartialOrd, Eq, Ord, Hash)]
+#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "visitor", derive(Visit, VisitMut))]
+pub struct DropPolicy {
+    /// `true` when `IF EXISTS` was present.
+    pub if_exists: bool,
+    /// Name of the policy to drop.
+    pub name: Ident,
+    /// Name of the table the policy applies to.
+    #[cfg_attr(feature = "visitor", visit(with = "visit_relation"))]
+    pub table_name: ObjectName,
+    /// Optional drop behavior (`CASCADE` or `RESTRICT`).
+    pub drop_behavior: Option<DropBehavior>,
+}
+
+impl fmt::Display for DropPolicy {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        write!(
+            f,
+            "DROP POLICY {if_exists}{name} ON {table_name}",
+            if_exists = if self.if_exists { "IF EXISTS " } else { "" },
+            name = self.name,
+            table_name = self.table_name
+        )?;
+        if let Some(ref behavior) = self.drop_behavior {
+            write!(f, " {behavior}")?;
+        }
+        Ok(())
+    }
+}
+
+impl From<CreatePolicy> for crate::ast::Statement {
+    fn from(v: CreatePolicy) -> Self {
+        crate::ast::Statement::CreatePolicy(v)
+    }
+}
+
+impl From<DropPolicy> for crate::ast::Statement {
+    fn from(v: DropPolicy) -> Self {
+        crate::ast::Statement::DropPolicy(v)
+    }
+}
+
+/// ALTER POLICY statement.
+///
+/// ```sql
+/// ALTER POLICY <NAME> ON <TABLE NAME> [<OPERATION>]
+/// ```
+/// (Postgresql-specific)
+#[derive(Debug, Clone, PartialEq, PartialOrd, Eq, Ord, Hash)]
+#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "visitor", derive(Visit, VisitMut))]
+pub struct AlterPolicy {
+    /// Policy name to alter.
+    pub name: Ident,
+    /// Target table name the policy is defined on.
+    #[cfg_attr(feature = "visitor", visit(with = "visit_relation"))]
+    pub table_name: ObjectName,
+    /// Optional operation specific to the policy alteration.
+    pub operation: AlterPolicyOperation,
+}
+
+impl fmt::Display for AlterPolicy {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        write!(
+            f,
+            "ALTER POLICY {name} ON {table_name}{operation}",
+            name = self.name,
+            table_name = self.table_name,
+            operation = self.operation
+        )
+    }
+}
+
+impl From<AlterPolicy> for crate::ast::Statement {
+    fn from(v: AlterPolicy) -> Self {
+        crate::ast::Statement::AlterPolicy(v)
+    }
+}