Add a role as an underlying role of a standalone role. Members of the system role
inherit the system privileges of the underlying role, but do not become members of the
underlying role. Members of the underlying role do not become members of the standalone
role.
Prerequisites
| Database Version |
Role-Based System Role Privileges |
|---|
| SAP Sybase IQ 15.3 and 15.4 |
Not supported. |
| SAP Sybase IQ
16.0 |
To enable the Manage Roles
option – you must have the MANAGE ROLES system privilege.To then add an underlying role – you must have one of: - Administrative rights over the underlying
role (role administrator)
- MANAGE ROLES system privilege if the
underlying role has a global role administrator
|
- The SAP Sybase IQ resource is authenticated and
running.
- The selected resource supports role-based
security
Task- In the Perspective Resources view, select the resource, and
select .
- In the left pane, expand , and then select System Roles.
- Select a system role from the right pane and either:
- Click the arrow to the right of the name and select Manage
Roles, or
- From the Administration Console menu bar, select .
Warning! When adding an underlying role to a role, be sure you select the correct menu option.
Each option has different inheritance outcomes. To review the differences, see
Security Implications of the Managing Grantees and Managing Roles
Options.
A list of underlying roles currently granted to the system role
appears.
- Click Grant.
- Select one or more underlying roles to grant.
Tip: Use Shift-click or
Control-click to select multiple roles.
- Click OK to grant the role.
Newly granted underlying roles appear with Role only rights
(no administrative rights).
- (Optional) (For compatibility and user-defined roles only) To modify the
administrative rights of an underlying role, highlight a role. Click in the Grant Options column, click the arrow,
and select the administrative rights to be granted.
| Grant Option |
Description |
|---|
| Role only |
(default) Grantee can use the underlying system privileges of the
role only. |
| Administrative only |
Grantee can grant and revoke the selected role to other users and
roles, but cannot use its underlying system privileges. |
| Administrative and role |
Grantee can grant and revoke the selected role to other users and
roles and use its underlying system privileges. |
Note: The following
steps represent a behavior change with SAP Sybase IQ 16.0,
for the following roles only. - SYS_AUTH_DBA_ROLE
- SYS_AUTH_BACKUP_ROLE
- SYS_RUN_REPLICATION_ROLE
- SYS_AUTH_RESOURCE_ROLE
- SYS_AUTH_VALIDATE_ROLE
Prior to 16.0, when
granting membership to one of these roles, the default inheritance behavior was to
not allow members of the role to automatically inherit the underlying system
privileges and roles of the compatibility role. Only the log on user (of the role)
would inherit. As of 16.0, the default behavior is to allow automatic inheritance by
all members of the role.
- (Optional for SYS_AUTH_DBA_ROLE
only) To prevent automatic inheritance of the SYS_AUTH_DBA_ROLE when granted with
the Administrative and Role option, click in the Inheritance
column, and select No Inheritance.
- (Optional for SYS_AUTH_DBA_ROLE,
SYS_AUTH_BACKUP_ROLE, SYS_RUN_REPLICATION_ROLE, SYS_AUTH_RESOURCE_ROLE, or
SYS_AUTH_VALIDATE_ROLE only) To prevent automatic inheritance when granted with
Role only option, click in the Inheritance column, and
select No Inheritance.
- Do one of:
- Click OK to update any changes to the
database and exit the properties view.
- Click Apply to update any changes to the database, but
remain in the properties view.
- Click Cancel to cancel any changes not
updated to the database and exit the properties view.