Security Management

SAP® Sybase® IQ provides a role-based security model for controlling access to database objects and executing privileged operations. This model provides complete control and granularity for the privileges you want to grant to users. Each privileged operation in a database requires one or more system or object-level privileges be assigned to the user to execute the operation.

A system privilege allows users to perform authorized database tasks. For example, assign the CREATE TABLE system privilege to a user to allow him or her to create self-owned tables.

An object-level privilege allows a user to perform an authorized task on a specified object. For example, assign ALTER object-level privilege on TableA to a user to allow him or her to alter that table, but no other tables.

A role is a container that may contain one or more system privileges, object-level privileges, and other roles. Granting a role to a user is equivalent to granting the user the underlying system and object-level privileges of the role.

All new users are automatically granted the PUBLIC system role, which gives them the ability to:

View the data stored in the system views
Execute most system stored procedures

Once you have created a new user, you can:

Grant user-defined roles, system roles, system privileges, and object-level privileges to it.
Assign a login policy it. By default, a user is assigned to the root login policy.
Set it as the publisher or as a remote user of the database for use in an SQL Remote system.

Each new or migrated SAP Sybase IQ database includes a predefined set of roles you can use to get started. These system roles act as a starting point for implementing role-based security.

Note: If you have used versions of SAP Sybase IQ earlier than 16.0, SAP recommends that you review the sections on how the security model has changed from the authority/permission/group model to the role/privilege/user-extended role model under Upgrading to Role-Based Security in the Migration Guide appropriate to your operating system.

Plan and Implement Role-Based Security
There is a distinct workflow to planning and implementing a role-based security model.
Roles
A role is a container that can contain system privileges, object-level privileges, and roles. Granting privileges to and revoking privileges from a role is the same as for a user. A role and user cannot have the same name.
Privileges
A privilege grants users the ability to perform an authorized operation on the system. For example, altering a table is a privileged operation, depending on the type of alteration you are making.
Passwords
A user can be granted the ability to manage other users' passwords. You can configure password management to require one or two users to complete a password change.
Impersonation
A user can temporarily assume (impersonate) the specific roles and system privileges of another user to perform operations, provided he or she already has the minimum required privileges to perform the task to begin with.
Users
User management includes the creation and deletion of user IDs, as well as password management.
Login Policies
A login policy defines the rules that SAP Sybase IQ follows to establish user connections. Each login policy is associated with a set of options called login policy options.
User Connections
There are several ways to manage user connections.
Security with Views and Procedures
You can use views and stored procedures to tailor privileges to suit the needs of your enterprise.
Data Confidentiality
You can secure communications between a client and the SAP Sybase IQ server, or between an SAP Sybase IQ client and the database server using Transport Layer Security (TLS).
Utility Database Server Security
SAP Sybase IQ includes a phantom database, called the utility database, that has no physical representation, and which can contain no data.
Data Security
Since databases may contain proprietary, confidential, or private information, it is important that you ensure that the database and the data in it are designed for security.