Granular permissions enable you to grant system privileges; allowing you to construct
site-specific roles with privileges to match your requirements, and restrict system
administrators and database owners from accessing user data.
The granular permissions feature requires the ASE_PRIVACY license.
To enable granular permissions, set the configuration parameter
enable granular permissions to 1.
You must have sso_role privileges to turn on granular permissions, and the
manage security configuration system privilege to turn off
granular permissions.
To grant the following permissions, the system
privilege
manage server permissions is required, and for
database sybsecurity, the system privilege
manage security
permissions is required:
- checkpoint
- dump database
- load database
- online database
- own database
- use database
When
enable granular permissions is set to 1,
- When granular permissions is enabled, checks for permissions are made and
only those users with the appropriate permissions will see the menu options
available for setting permissions. For example, the Change Password option
will only be available if you have Manage Any Encryption Key permission or
you are the key owner for the column encryption key.
- System-defined roles (sa_role, sso_role, oper_role, and replication_role)
are explicitly granted a set of privileges. You have the option to revoke
explicitly granted system privileges from system-defined roles.
- The system privilege manage security permissions is
required to restore dbo user privileges.
The sa_role is granted the system privilege own any database by
default. This privilege allows a system administrator to become the database owner
of any user database. However, database owners can revoke the own any
database privilege from the sa_role.
For complete information about how to manage granular permissions in Adaptive Server,
see the Security Administration Guide.