Role-Based Security After Upgrading from 15.x

Role-based security replaces the authority-based security model as of SAP Sybase IQ 16.0.

• What Happened to Authorities, Permissions, and Groups?
  SAP Sybase IQ 16.0 introduces a role-based security model. Earlier versions used authorities, permissions, object-level permissions, and groups. The role-based security model uses roles, system privileges, object-level privileges, and user-extended roles.
• Authorities Become Compatibility Roles
  When you upgrade to 16.0, users who are granted authorities in the earlier version are automatically granted an equivalent compatibility role. If the user previously had the ability to administer the authority, he or she has the ability to administer the compatibility role in 16.0.
• Permissions Become Privileges
  SAP Sybase IQ versions earlier than 16.0 used object-level permissions such as ALTER and SELECT for tables and views. These permissions are now called object-level privileges.
• Groups Become Roles
  When you upgrade an IQ database earlier than 16.0, each group is converted to an equivalent user-extended role of the same name. Members of the original group are automatically granted the new role and all of its underlying system privileges. Authorities and object-level permissions granted to the original group are converted to equivalent compatibility roles and system privileges and are granted to the user-extended role.
• Change to Concept of a Super-User (DBA Authority)
  In SAP Sybase IQ versions earlier than 16.0, the DBA user was often considered a super-user by virtue of being granted the DBA authority. The DBA user continues to exist in 16.0, however, the concept has changed.
• Changes to the GRANT Statement Syntax
  The GRANT syntax for authorities, permissions, and groups is supported, but deprecated. If you have applications that use the pre-16.0 GRANT statement syntax, modify them to use the new syntax for roles and privileges.
• Changes to the REVOKE Statement Syntax
  The REVOKE syntax for authorities, permissions, and groups is supported but deprecated. If you have applications that use the pre-16.0 REVOKE statement syntax, modify them to use the new syntax for roles and privileges.
• Changes to REMOTE DBA
  The REMOTE DBA authority is replaced by the SYS_RUN_REPLICATION_ROLE system role. This role allows user to administer replication.
• Changes in Inheritance Behavior
  In SAP Sybase IQ versions earlier than 16.0, when you granted the DBA, REMOTE DBA, BACKUP, RESOURCE, and VALIDATE authorities to a group, the underlying permissions were not inherited by members of the group.
• Changes in Administering the Database Publisher
  In 16.0, the PUBLISH authority is replaced by the PUBLIC.db_publisher database option. You change the publisher by changing the database option.
• Compatibility Roles
  Compatibility roles exist for backward compatibility with versions of SAP Sybase IQ earlier than 16.0. that support authority-based security.
• Backward Compatibility in SAP Sybase IQ 16.0
  Grant and revoke syntax for role-based security differs significantly from authority-based security. However, SAP Sybase IQ 16.0 is fully backward compatible with authority-based syntax.
• Stored Procedure to Map Authorities to System Roles
  The sp_auth_sys_role_info stored procedure generates a report, which maps each authority to a corresponding system role name.
• Connecting to SAP Sybase IQ 15.x Databases with SAP Sybase IQ 16.0
  Role-based syntax is not supported in SAP Sybase IQ 15.x databases.