Enabling Granular Permissions

Granular permissions enable you to grant system privileges; allowing you to construct site-specific roles with privileges to match your requirements, and restrict system administrators and database owners from accessing user data.

The granular permissions feature requires the ASE_PRIVACY license.

To enable granular permissions, set the configuration parameter enable granular permissions to 1.

You must have sso_role privileges to turn on granular permissions, and the manage security configuration system privilege to turn off granular permissions.

To grant the following permissions, the system privilege manage server permissions is required, and to access database sybsecurity, the system privilege manage security permissions is required:
  • checkpoint
  • dump database
  • load database
  • online database
  • own database
  • use database
When enable granular permissions is set to 1:
  • Checks for permissions are conducted and only users with the appropriate permissions see the menu options available for setting those permissions. For example, the Change Password option is available only if you have Manage Any Encryption Key permission, or if you are the key owner for the column encryption key.
  • System-defined roles (sa_role, sso_role, oper_role, and replication_role) are explicitly granted a set of default privileges. You have the option to revoke explicitly granted system privileges from system-defined roles.
  • The system privilege manage security permissions is required to restore dbo user privileges.

By default, the sa_role is granted the system privilege own any database. This privilege allows a system administrator to become the database owner of any user database. However, database owners can revoke the own any database privilege from the sa_role.

To generate DDL for encryption keys, logins, and roles:
  • You must have the Select Any System Catalog privilege on the master database to generate DDL for logins or roles.
  • For encryption keys, you must have Select Any System Catalog privilege on the database where the encryption key resides.
Select Any System Catalog is not an automatically granted privilege, even if you can access system catalogs. If you have sso_role, you are automatically given the Manage Security Permissions privilege when granular permission is enabled. Once you have the Manage Security Permissions permission, you can grant the Select Any System Catalog privilege to yourself or other users to allow access to generate DDL.

For complete information about how to manage granular permissions in SAP ASE, see the Security Administration Guide.

Related tasks
Creating a Stored Procedure
Reorganizing Tables at the Database Level
Reorganizing Tables
Reorganizing Indexes
Reorganizing Table Partitions
Reorganizing Index Partitions
Restoring System Roles
Granting Privileges to a Role
Revoking Privileges from a Role
Granting Privileges to a User
Revoking Privileges from a User
Granting Privileges to a Group
Revoking Privileges from a Group