Impersonation

A user can temporarily assume (impersonate) the specific roles and system privileges of another user to perform operations, provided he or she already has the minimum required privileges to perform the task to begin with.

Suppose User1 is responsible for performing a key task, but he or she is unavailable. User2 has sufficient privileges to complete the task, but has additional privileges not available to User1. If User2 performs the task, it could complete differently than when performed by User1. To avoid this, User2 temporarily assumes (impersonates) the roles and system privileges specific to User1, and performs the task.

Impersonation is achieved by first granting a user the SET USER system privilege, and then issuing the SETUSER statement to initiate the impersonation.

To impersonate another user, the impersonating (grantee) user must have been granted, at minimum, all of the roles and system privileges, with the same or higher administrative privileges, as the impersonated (target) user. This is called the at-least criteria. The impersonating user can have been granted additional roles, system privileges, or higher administrative privileges, but not fewer. While impersonating another user, you can grant additional roles and privileges to, or revoke from the impersonator or impersonate as long as doing so does not violate the at-least criteria. If the grant or revoke violates the criteria, an error message appears, and the statement fails.

For example, User1 is successfully impersonating User2. You grant a new role to User1, but not to User2. Since this grant does cause a violation of the criteria for User1 to impersonate User2 (User1 still has at least the same roles and privileges granted to User2), the grant is successful. If, however, new role is granted to User2 instead of User1, the grant statement fails because it results in User2 being granted more roles than User1.

When you impersonates another user, the user ID of the impersonated user (not yours), appears in the audit logs. However, since the act of impersonation (issuance of the SETUSER command) is also recorded in the audit logs, you can determine whether the grantee or target user executed a task.

In a multiplex configuration, if an impersonation is active in a connection that is present in the coordinator, and an attempt is made to grant or revoke roles and privileges that violates the at-least criteria, the connection containing the active impersonation terminates. Since terminating the connection also terminates the impersonation, violation of at-least criteria is no longer an issue, and the GRANT or REVOKE statement executes successfully.

• Requirements for Impersonation
  A user can successfully impersonate another user only if a specific set of criteria is met, also called the at-least requirements.
• Granting the SET USER System Privilege to a User
  Allow one user to impersonate another user in the database. The system privilege can be granted with or without administrative rights.
• Starting to Impersonate Another User
  Allows a user to assume the exact roles and system privileges (impersonate) of another user. Impersonation remains in effect until it is stopped or until the current session ends.
• Verifying the Current Impersonation Status of a User
  A successful impersonation remains in effect until it is manually terminated or the session is terminated.
• Stopping Impersonation of Another User
  End the impersonation of another user on the machine. Once begun, impersonation of another user remains in effect until impersonation is stopped, or the current session ends.
• Revoking the SET USER System Privilege from a User
  Remove the ability of a user to impersonate other users, and to administer the SET USER system privilege.