Allows a user to temporarily assume the roles and system privileges of another user
(also known as impersonation) to perform operations, provided they already have the minimum
required privileges to perform the task to begin with.
Note: The SET USER system privilege is two words; the SETUSER statement is one word.
Usage
At-least criteria validation occurs when the SETUSER statement is executed, not when
the SET USER system privilege is granted.
UserID must be the name of an existing user or role that has a
login password.
To terminate a successful impersonation, issue the SETUSER statement without
specifying a userID.
Standards
ANSI SQL – Compliance level: Transact-SQL extension.
Permissions
- The impersonator has been granted the right to impersonate
the target user.
- The impersonator has, at minimum, all
the roles and system privileges granted to the target
user.
- The impersonator has been granted the
said roles and system privileges with similar or higher
administrative rights.
Note: For the purposes
of meeting administrative rights criteria, the WITH
ADMIN OPTION and WITH ADMIN ONLY OPTION clauses are
considered to grant similar administrative rights. They
are also considered to grant higher administrative
rights than the WITH NO ADMIN OPTION clause. For
example, User1 is granted Role1 with the WITH ADMIN
OPTION clause, User2 is granted Role1 with the WITH
ADMIN ONLY clause, and User3 is granted Role1 with the
WITH NO ADMIN OPTION clause. User1 and User2 are said to
be granted Role1 with similar administrative rights.
User1 and User2 are also said to be granted Role1 with
higher administrative rights that User3.
- If the
target user has been granted a system privilege which
supports extensions, the clauses used to grant the system
privilege to the impersonator are a super-set of those used
for the target user.
Currently, only the SET USER and
CHANGE PASSWORD system privileges support
extensions.
Note:
- The ANY clause is considered a super-set of the target_roles_list and
target_users_list
clauses. If the target user has been granted the SET
USER system privilege with an ANY grant, the
impersonator must also have the ANY grant.
- If the target user has been granted the SET USER system
privilege with both the
target_roles_list and
target_users_list clauses, the
impersonator must also have been granted the system
privilege with the two clauses, and the target list of
each clause must be equal to or a super-set of the
corresponding clause grant of the target user. For
example, if the target lists of both the impersonator
and target user contain User1, User2 and Role1, Role2,
respectively, the target list grants for each clause are
said to be equal. Alternately, if the target list grants
of the impersonator contain User1, User2, Role1, Role2,
respectively, while the target list grants of the target
user contain User1, Role2 only, the target list grants
of the impersonator are said to be a super-set of the
target user.
- If the target user has been granted the SET USER system privilege with a single target
list clause, the target list of the impersonator must be
equal to or a super-set of the list of the target user.
For example, the target_user_list of both the
impersonator and the target user contain User1 and User2
(equal) or the impersonator list contains User1, User2,
while the target user contains User2; User1, User2
(impersonator list) is a super-set of User2 (target user
list).
- By definition, a user can always impersonate themselves.
Therefore, if the target user has been granted the right
to impersonate the impersonator, this does not violate
the equal to or a super-set of criteria requirement of
the impersonator. For example, User3 is the
impersonator and User4 is the target user. The
target_user_list for User3 contains User4 and User5. The
target_user_list for User4 contains User3 and User5. If
you remove the impersonator from the target list, the
target list of User3 meets the criteria
requirement.