Users with manage security permissions privileges can grant or revoke security-related sever-wide privileges and security-related database-wide privileges. See Table 8-1 and Table 8-2 respectively, for a list of these privileges.
Server-wide privileges |
---|
change password |
checkpoint (on sybsecurity) |
dump database (on sybsecurity) |
load database (on sybsecurity) |
manage any login |
manage any login profile |
manage any remote login |
manage auditing |
manage roles |
manage security configuration |
manage security permissions |
online database (on sybsecurity) |
own database (on sybsecurity) |
set proxy |
use database (on sybsecurity) |
Database-wide privileges |
---|
create encryption key |
decrypt any table |
manage any encryption key |
manage column encryption key |
manage database permissions |
manage master key |
manage service key |
update any security catalog |
manage security permissions is initially explicitly granted to the sso_role on a newly installed server, and, by default, the sa account has manage security permissions privilege. Once you revoke manage server permissions from the sso_role, a user with this role cannot grant or revoke any security-related privilege.
To avoid having a user unintentionally causing the server to be locked, Adaptive Server ensures the server contains at least one unlocked user account with manage security permissions privilege.