System security officers perform security-sensitive tasks in Adaptive Server, including:
Granting the system security officer, operator, and key custodian roles
Administering the audit system
Changing passwords
Adding new logins
Dropping logins
Locking and unlocking login accounts
Creating and granting user-defined roles
Administering network-based security
Granting permission to use the set proxy or set session authorization commands
Creating login profiles
Managing encryption
The system security officer can access any database—to enable auditing —but, in general, has no special permissions on database objects (except for encryption keys and decrypt permission on encrypted columns. See the Users Guide for Encrypted Columns). An exception is the sybsecurity database, where only a system security officer can access the sysaudits table. There are also several system procedures that can be executed only by a system security officer.
System security officers can repair any changes inadvertently done to the protection system by a user. For example, if a database owner forgets the password, a system security officer can change the password to allow the database owner to log in.
The system security officers share login management responsibilities with system administrators. System security officers are responsible for managing logins and login profiles.
System security officers can can grant all system roles except sa_role. They can also create and grant user-defined roles to users, other roles, login profiles, or groups. See “Creating and assigning roles to users”.
