Creating a User-Extended Role

Add a new user-extended role to the database.

Prerequisites

Database Version	Role-Based User-Extended Role Privileges
SAP Sybase IQ 15.3 and 15.4	Not supported.
SAP Sybase IQ 16.0	Create a role – you must have both the MANAGE ANY USER and MANAGE ROLES system privileges. Grant a role during user-extended role creation – you must have one of: Administrative rights over the role being granted (role administrator) MANAGE ROLES system privilege if the role being granted has a global role administrator Grant a system privilege during user-extended role creation - You must have administrative rights over the system privilege being granted.

Database Version

Role-Based User-Extended Role Privileges

SAP Sybase IQ 15.3 and 15.4

Not supported.

SAP Sybase IQ 16.0

Create a role – you must have both the MANAGE ANY USER and MANAGE ROLES system privileges.

Grant a role during user-extended role creation – you must have one of:

Administrative rights over the role being granted (role administrator)
MANAGE ROLES system privilege if the role being granted has a global role administrator

Grant a system privilege during user-extended role creation - You must have administrative rights over the system privilege being granted.

The SAP Sybase IQ resource is authenticated and running.
The selected resource supports role-based security

Task

In the Perspective Resources view, select the resource, and select Resource > Administration Console.
In the left pane, expand IQ Servers > Security > Role-Based, and then select User-Extended Roles.
Click the arrow next to User-Extended Roles and select New.
The Create User-Extended Role Wizard appears.

On the Welcome page, specify

Option	Description
Select a resource on which the user will be created.	Select a resource from the list. Note: If the selected resource does not support role-based security, an error message appears.
What do you want to name the new user?	Enter a unique user ID.

Click Next.

On the Password page:

Option	Description
Enable password	Select to allow a user to connect to the database with password security. Leave this option unselected to disable the password and confirm password options.
Password	Create a strong user password. Characters appear as asterisks.
Confirm password	Confirms the password. The contents of the two password fields must match exactly.
Requires password change on next login	Select to force a user to change his or her password at the next login. Note: This functionality is not currently implemented in SAP Control Center. When logging in to SAP Control Center, a user will not be prompted to change their password. He or she will be prompted, however, when logging in to SAP Sybase IQ outside of SAP Control Center (for example, using Interactive SQL).
Login policy	Select a login policy from the list.

Click Next.
(Optional) On the Administrators page, select one or more administrators.

Note: It is strongly recommended that you do not select any role administrators when creating a new role; add them once the creation process is complete. If at least one role administrator is specified during creation, global role administrators will be unable to manage the role because the MANAGE ROLES system privilege is not automatically granted to the role.
1. (Optional) If an administrator is selected, indicate whether the administrator is to be granted membership in the role along with administrative rights (Administrative and role) or administrative rights only (default).
  
  Note: Only one privilege level can be defined for all selected administrators when specified during the create process. However, the privilege level can be later modified. See
Click Next.

(Optional) On the Roles page, highlight a role to be granted. Click in the Grant Option column, click the arrow, and select the administrative rights to be granted.

Grant Option	Description
Role only	(default) Grantee can use the underlying system privileges of the role only.
Administrative only	Grantee can grant and revoke the selected role to other users and roles, but cannot use its underlying system privileges.
Administrative and role	Grantee can grant and revoke the selected role to other users and roles and use its underlying system privileges.

Only roles to which you have administrative rights appear on the list.
By default, a new user or user-extended role is automatically granted the PUBLIC system role with the "Role only" privilege (user is a member of the role, but has no administrative rights on the role). There is no need to add the PUBLIC role when creating a user, user-extended role, or standalone role.
When you grant a role to a user, user-extended role, or standalone role, unless otherwise noted, any underlying system privileges of the role being granted are automatically inherited by the user, user-extended role, or standalone role.

Repeat step 10 to grant additional roles.
Click Next.

(Optional) On the System Privileges page, highlight a system privilege to be granted. Click in the Grant Option column, click the arrow, and select the administrative rights to be granted.

Note: Only system privileges to which you have administrative rights appear on the list.

Grant Option	Description
Privilege only	(default) Grantees can perform authorized tasks requiring the selected privilege, but cannot grant the system privilege to other users and roles.
Administrative only	Grantees can grant and revoke the selected system privilege to other users and roles, but cannot perform authorized tasks requiring the selected system privilege.
Administrative and privilege	Grantees can grant and revoke the selected system privilege to other users and roles and can perform authorized tasks requiring the selected system privilege.

Repeat step 13 to grant additional privileges.
Click Next.
(Optional) On the Comment page, enter a comment for this user.
Click Finish.