A user can successfully impersonate another user only if a specific set of criteria
is met, also called the at-least requirements.
Scenario 1
Assuming that criteria 2 and 3 are met, consider the following scenario:
- There are five users: User1, User2, User3, User4, and User5.
- There are two roles: Role1 and Role2.
- User1 has been granted
the SET USER system privilege with the ANY clause.
- User2 has been granted
the SET USER system privilege with the target_users_list clause for User1 and User4.
- User3 has been granted
the SET USER system privilege with the target_users_list clause for User1, User2, User4 and, User5, and the ANY WITH ROLES target_roles_list clause for Role1 and Role2.
- User4 has been granted
the SET USER system privilege with the ANY clause and the target_roles_list clause for Role1.
- User5 has been granted
the SET USER system privilege with the target_users_list clause for User4 and the ANY WITH ROLES target_roles_list for Role1.
User1 and User4 can successfully impersonate User2, User3, and User5 because each is granted the SET USER system
privilege with the ANY clause (criteria 4).
User1 and User4 can impersonate each other because they each have the ANY grant
(criteria 4).
User2, User3, and User5 cannot
impersonate User1 or User4 because they do not have the ANY grant (criteria 4).
User2 cannot impersonate
User3 or
User5 because:
- User2 is not granted the
right to impersonate these users (criteria 1).
- The SET USER system privilege is not granted to User2 with the target_roles_list clause (criteria 4).
User3 can successfully impersonate
User2 because:
- User3 is granted the
right to impersonate User2 via the
target_users_list clause (criteria
1).
- The target_users_list
clause for User3 is a super-set of
User2 (criteria 4). Though User3 has a grant with the target_role_list clause, it is not required
to satisfy the requirements for impersonation of User2 because the latter does not have the same grant.
User3 can successfully impersonate
User5 because:
- User3 is granted the
right to impersonate User5 via the
target_users_list clause (criteria
1).
- The target_users_list
clause list for User3 is a super-set of
User5 (criteria 4).
- The target_roles_list
clause lists for User3 and User5 are equivalent (criteria 4).
User5 cannot impersonate any other user because:
- User1 and User4 have an ANY grant (Criteria 4).
- User2 and User3 have a grant with a target_users_list clause that is not a
sub-set of the grant to User5 (criteria
4).
- User3 has a grant with
a target_roles_list clause that is not a
subset (criteria 4).
Criterion are validated occurs when the SETUSER statement is
executed, not when the SET USER system privilege is granted. If a user fails to meet
any of the criteria when the SETUSER statement is issued, a permission denied message appears, and the impersonation does not
begin.