You must have the CONTROL privilege to modify the access rights
    of other users with the CHANGE PROTECTION statement.

    An access control list (ACL) is attached to each database and
    relation. Each list consists of entries that specify two items of
    information:

    o  An identifier that specifies a user or set of users.

    o  A set of access rights. These rights specify what operations
       that user or set of users can perform on the database or
       relation.

    The new version of the ACL entry you create with the CHANGE
    PROTECTION statement does not inherit any characteristics
    from the old version. When you change protection on a database
    element, you need to specify the entire entry, including all the
    access rights you want to deny.

    When changing protection, observe the following rules:

    o  To change protection, you must first invoke the database that
       includes the protection.

    o  If you specify two or more access rights, separate each by
       a plus sign (+), but do not include any spaces. For example,
       READ+WRITE.

    o  If the list of access rights exceeds one line in length, place
       the list in quotation marks and use the continuation character
       (hyphen). Otherwise, Oracle Rdb reads the carriage return as the
       end of the list, and an error results:

       cont> ACCESS "DEFINE+CHANGE+DELETE -
       cont> +CONTROL+OPERATOR+ADMINISTRATOR"

    Granting or revoking a privilege takes effect after the user
    detaches and attaches to the database again.

    You must execute the CHANGE PROTECTION statement in a read/write
    transaction. If there is no active transaction and you issue this
    statement, Oracle Rdb starts a read/write transaction implicitly.

    Other users are allowed to be attached to the database when you
    issue the CHANGE PROTECTION statement.