A user can successfully impersonate another user only if a specific set of criteria
is met, also called the at-least requirements.
Scenario 1
Assuming that the second and third criterion is met, consider the following scenario:
- There are five users: User1, User2,
User3, User4, and
User5.
- There are two roles: Role1 and
Role2.
- User1 was granted the SET USER system privilege with the
ANY clause.
- User2 was granted the SET USER system privilege with the
target_users_list clause for User1
and User4.
- User3 was granted the SET
USER system privilege with the target_users_list clause for User1, User2, User4 and, User5, and the ANY WITH ROLES target_roles_list clause for Role1 and Role2.
- User4 was granted the SET USER system privilege with the
ANY clause and the
target_roles_list clause for
Role1.
- User5 was granted the SET
USER system privilege with the target_users_list clause for User4 and the ANY WITH ROLES target_roles_list for Role1.
User1 and User4 can successfully impersonate
User2, User3, and User5
because each is granted the SET USER system privilege with the
ANY clause. (Criteria 4).
User1 and User4 can impersonate each other because they each have the ANY
grant. (Criteria 4).
User2, User3, and User5 cannot
impersonate User1 or User4 because they do not have the ANY grant. (Criteria 4)
User2 cannot impersonate
User3 or
User5 because:
- User2 is not granted the right to impersonate these
users. (Criteria 1)
- The SET USER system privilege is not granted to User2
with the target_roles_list clause. (Criteria 4)
User3 can successfully impersonate
User2 because:
- User3 is granted the right to impersonate
User2 via the target_users_list
clause. (Criteria 1)
- The target_users_list clause for User3
is a super-set of User2. (Criteria 4) Though
User3 has a grant with the
target_role_list clause, it is not required to
satisfy the requirements for impersonation of User2
because the latter does not have the same grant.
User3 can successfully impersonate
User5 because:
- User3 is granted the right to impersonate
User5 via the target_users_list
clause. (Criteria 1)
- The target_users_list clause list for
User3 is a super-set of User5.
(Criteria 4)
- The target_roles_list clause lists for
User3 and User5 are equivalent.
(Criteria 4)
User5 cannot impersonate any other user because:
- User1 and User4 have an
ANY grant (Criteria 4)
- User2 and User3 have a grant with a
target_users_list clause that is not a sub-set of the
grant to User5. (Criteria 4)
- User3 has a grant with a
target_roles_list clause that is not a subset.
(Criteria 4)
Validation of criterion occurs when the SETUSER statement is executed, not when the
SET USER system privilege is granted. If a user fails to meet any of the criteria
when the SETUSER statement is issued, a permission denied message
appears, and the impersonation does not begin.