The table owner or the SSO can grant decrypt permission on a table or a list of columns in a table if you have not configured 'restricted decrypt permission'. If you have configured restricted decrypt permission, only the SSO can grant decrypt permission.
The syntax is:
grant decrypt on [ owner. ]tablename[(columnname [{,columname}])]
to user | group | role
with grant option
grant all on a table or column does
not grant decrypt permission
