Creating secure feature keys

To control the database features available to users, use the secure features database server option (-sf) to specify the features that users are prevented from accessing on the database server.

Prerequisites

Requires the SERVER OPERATOR system privilege
Access to the manage_keys feature.

Task

Use the -sk database server option to create a system secure feature key. Use the sp_create_secure_feature_key system procedure to create a customized secure feature key.

Secure feature settings apply to all databases running on a database server.

The secure features option (-sf) controls the availability of such features as:

server-side backups
external stored procedures
remote data access
web services

The -sk option specifies a system secure feature key that can be used to manage access to secure features for a database server. If you want to alter the list of secured features once the database server is running, use the sa_server_option system procedure. To alter a customized secure feature key once the database server is running, use the sp_alter_secure_feature_key system procedure.

At a command prompt, start the database server using the -sf and -sk options.
For example, the following command starts the database server and secures all features. The command also includes a key that can be used later to allow access to secured features for a connection.
```
dbsrv16 -n secure_server -sf all -sk someSystemKey c:\mydata.db 
```

Connect to the database server:

dbisql -c "UID=DBA;PWD=sql;Host=myhost;Server=secure_server;DBN=demo"

Call the sp_use_secure_feature_key system procedure to specify that the secure feature key for the connection is the same as that specified by the -sk option:
```
CALL sp_use_secure_feature_key ( 'system' , 'someSystemKey' );
```
To change the secure features of the system secure feature key, use the sa_server_option system procedure. For example:
```
CALL sa_server_option( 'SecureFeatures', '-remote_data_access' );
```
Create a customized secure feature key for the user Bob, that allows Bob to send emails:
```
CALL sp_create_secure_feature_key ( 'bobsKey' , 'anotherAuthKey' , 'sa_send_email' );
```
After logging into the database, Bob must run the following command to send emails:
```
CALL sp_use_secure_feature_key ( 'bobsKey' , 'anotherAuthKey' );
```

Users of databases running on the database server secure_server are prevented from accessing all secured features except the remote_data_access feature. The user Bob, however, also has access to the sa_send_email feature.