By default, the database user account usedb_user is added to each database. When granular permissions is enabled, a user accessing a database will assume the user name usedb_user if the user is granted the use database privilege on the database, and the following conditions apply to the user:
Does not have own database privilege on the database
Does not hold an identity as a valid user in the database
Is not aliased to another valid user in the database
The following rules apply to the user account usedb_user:
usedb_user is only authorized to perform operations in the database that are allowed for public. To perform any additional operations, the user must acquire the corresponding privileges. A user may acquire privileges in a database through roles when he or she is not a valid user in the database.
To create an object, the user must be a valid user in the database.
Allowing a user to access a database as usedb_user will provide the user the ability to execute a server-wide privilege in a database without being added as a valid user in the database.
For example, Bob is a valid user in master database, but not a valid user for database db1 which does not have a guest user account. Bob has manage security permissions privileges in the master database.
To allow Bob to execute manage security permissions in db1, a user with manage server permissions privilege can issue:
grant use database on db1 to bob
Bob can now access database db1 and issue the commands to grant manage any encryption key privileges to user Alice:
use db1 grant manage any encryption key to alice
Adaptive Server records the grantor of manage any encryption key in sysprotects as the user ID of usedb_user.
