Controls whether users have access to features for databases running on the current database server. A secured feature can only be accessed by a user with appropriate privileges, while an unsecured feature can be accessed by all users.
Syntax
iqsrv16 -sf feature-list ...
feature-list :
feature-name | feature-set [ ,feature-name | feature-set ] ...
Feature set |
Included features (feature sets in bold) |
none |
All features are unsecured except manage_features, manage_keys, and disk_sandbox.
|
manage_server |
|
manage_security |
- manage_features
- manage_keys
- manage_disk_sandbox
|
server_security |
- disk_sandbox
- trace_system_event
|
all |
client – - read_client_file
- write_client_file
remote – - remote_data_access
- send_udp
- send_email
- web_service_client
local – - local_call –
- cmdshell
- external_procedure
- java
- local_db –
- backup
- restore
- database
- dbspace
- local_env –
- local_io –
- create_trace_file
- read_file
- write_file
- directory
- sp_list_directory
- sp_create_directory
- sp_copy_directory
- sp_move_directory
- sp_delete_directory
- sp_copy_file
- sp_move_file
- sp_delete_file
- local_log –
- request_log
- console_log
- webclient_log
|
Parameters
- none – Specifies that no features are secured.
- manage_server – Prevents users from accessing all database server-related features. This set consists of the following features:
- processor_affinity – Prevents users from changing the processor affinity (the number of logical processors being used) of the database server.
- manage_security – Prevents users from accessing features that allow the management of database server security. By default, these features are secured.
- server_security – Prevents users from accessing features that can temporarily bypass security settings. By default, these features are secured.
- disk_sandbox – Prevents users from performing read-write file operations on the database outside the directory where the main database file is located.
- trace_system_event – Prevents users from creating user-defined trace events.
- all – Prevents users from accessing the following groups:
- client – Prevents users from accessing all features that allow access to client-related input and output. This feature controls access to the client computing environment. This set consists of the following features:
- read_client_file – Prevents the use of statements that can cause a client file to be read. For example, the READ_CLIENT_FILE function and the LOAD TABLE statement.
- write_client_file – Prevents the use of all statements that can cause a client file to be written to. For example, the UNLOAD statement and the WRITE_CLIENT_FILE function.
- remote – Prevents users from accessing all features that allow remote access or communication with remote processes. This set consists of the following features:
- remote_data_access – Prevents the use of any remote data access services, such as proxy tables.
- send_udp – Prevents the ability to send UDP packets to a specified address by using the sa_send_udp system procedure.
- send_email – Prevents the use of email system procedures, such as xp_sendmail.
- web_service_client – Prevents the use of web service client stored procedure calls (stored procedures that issue HTTP requests).
- local – Prevents users from accessing all local-related features. This feature controls access to the server computing environment. This set consists of the local_call, local_db, local_io, and local_log feature subsets.
- local_call – Prevents users from accessing all features that provide the ability to execute code that is not directly part of the database server and is not controlled by the database server. This set consists of the following features:
- cmdshell – Prevents the use of the xp_cmdshell procedure.
- external_procedure – Prevents the use of external stored procedures. This setting does not disable the use of the xp_* system procedures (such as xp_cmdshell, xp_readfile, and so on) that are built into the database server. Separate feature control options are provided for these system procedures.
- external_procedure_v3 - External C or C++ procedure. See the User-Defined Functions guide for information on C and C++ UDFs. – See the User-Defined Functions guide.
- java – Prevents the use of Java-related features, such as Java procedures.
- local_db – Prevents users from accessing all features related to database files. This set consists of the following features:
- backup – Prevents the use of the BACKUP statement, and with it, the ability to run server-side backups. You can still perform client-side backups by using the dbbackup utility.
- restore – Prevents the use of the RESTORE DATABASE statement.
- database – Prevents the use of the CREATE DATABASE, ALTER DATABASE, DROP DATABASE, CREATE ENCRYPTED FILE, CREATE DECRYPTED FILE, CREATE ENCRYPTED DATABASE, and CREATE DECRYPTED DATABASE statements.
- dbspace – Prevents the use of the CREATE DBSPACE, ALTER DBSPACE, and DROP DBSPACE statements.
- local_env – Prevents users from accessing all features related to environment variables. This set consists of the following features:
- getenv – Prevents users from reading the value of any environment variable.
- local_io – Prevents users from accessing all features that allow direct access to files and their contents. This set consists of the following features:
- create_trace_file – Prevents the use of statements that create an event tracing target.
- read_file – Prevents the use of statements that can cause a local file to be read. For example, the xp_read_file system procedure, the LOAD TABLE statement, and the use of OPENSTRING( FILE... ). The alternate names load_table and xp_read_file are deprecated.
- write_file – Prevents the use of all statements that can cause a local file to be written to. For example, the UNLOAD statement and the xp_write_file system procedure. The alternate names unload_table and xp_write_file are deprecated.
- delete_file – Prevents the use of all statements that can cause a local file to be deleted. For example, securing this feature causes the dbbackup utility to fail if the -x or -xo options are specified.
- directory – Prevents the use of directory class proxy tables. This feature is disabled when remote_data_access is disabled.
- sp_list_directory – Prevents the use of the sp_list_directory system procedure.
- sp_create_directory – Prevents the use of the sp_create_directory system procedure.
- sp_copy_directory – Prevents the use of the sp_copy_directory system procedure.
- sp_move_directory – Prevents the use of the sp_move_directory system procedure.
- sp_delete_directory – Prevents the use of the sp_delete_directory system procedure.
- sp_copy_file – Prevents the use of the sp_copy_file system procedure.
- sp_move_file – Prevents the use of the sp_move_file system procedure.
- sp_delete_file – Prevents the use of the sp_delete_file system procedure.
- local_log – Prevents users from accessing all logging features that result in creating or writing data directly to a file on disk. This set consists of the following features:
- request_log – Prevents the ability to change the request log file name and also prevents the ability to increase the limits of the request log file size or number of files. You can specify the request log file and limits on this file in the command to start the database server; however, they cannot be changed once the database server is started. When request log features are disabled, you can still turn request logging on and off and reduce the maximum file size and number of request logging files.
- console_log – Prevents the ability to change the database server message log file name using the ConsoleLogFile option of the sa_server_option system procedure. Securing this feature also prevents the ability to increase the maximum size of the log file using the ConsoleLogMaxSize option of the sa_server_option system procedure. You can specify a server log file and its size when starting the database server.
- webclient_log – Prevents the ability to change the web service client log file name using the WebClientLogFile option of the sa_server_option system procedure. You can specify a web service client log file when starting the database server.
Applies to
All operating systems and database servers.
Remarks
This option allows the owner of the database server to control whether users have access to features for databases running on the database server. The -sk option allows the owner of the database server to create a system secure feature key that prevents users from accessing features specified by the -sf option.
If you start a database without specifying a system secure feature key, the default secure features are secured, and you cannot change the secure feature settings for the database server or any databases running on it. You cannot create the system secure feature key later—you must shut down the database server and specify a system secure feature key when you restart it.
The feature-list is a comma-separated list of feature names or feature sets to secure for the database server. Securing a feature makes it inaccessible to all database users other than administrators. Specifying a feature set secures all the features included in the set. To secure one or more, but not all, of the features in the feature set, specify the individual feature name.
Note:
Sub-features of feature sets that are secured by default, cannot be unsecured from the command line. In other words the following command will not work:
-sf manage_security, -manage_keys
Use feature-name to indicate that the feature should be secured (made inaccessible), and -feature-name or feature-name- to indicate that the feature should be unsecured (accessible to all database users). For example, the following command indicates that only dbspace features are accessible to all users:
iqsrv16 -n secure_server -sf all,-dbspace
Example
The following command starts a database server named secure_server with access to the request log and with all remote data access features secured. The key specified by the -sk option can be used later with the sp_use_secure_feature_key system procedure to make these features accessible to all users on the current connection.
iqsrv16 -n secure_server -sf remote,-request_log -sk j978kls12
If a user connected to a database running on the secure_server database server uses the sp_use_secure_feature_key system procedure with the authorization_key parameter set to the same value as that specified by -sk, that connection has access to the remote data access features:
CALL sp_use_secure_feature_key ( 'MyKey' , 'j978kls12' );
The following command secures all features, with the exception of local database features:
iqsrv16 -n secure_server -sf all,-local_db