restricted decrypt permission

restricted decrypt permission enables or disables restricted decrypt permission in all databases. You must have the sso_role to set this parameter.

Summary Information

Default value

0

Range of values

0 (off), 1 (on)

Status

Dynamic

Display level

Basic

Required role

System security officer

Configuration group

Security Related

When restricted decrypt permission is set to 0 (off), decrypt permission on encrypted columns acts the same as in versions earlier than 15.0.2:
When restricted decrypt permission is set to 1 (on):
If you change restricted decrypt permission from 0 to 1, currently executing statements that use implicit decrypt permission finish; however any subsequent statements that use implicit decrypt permission fail with this error until the SSO grants the user decrypt permission on the necessary columns:
Msg 10330 "DECRYPT permission denied on object object_name, database
database_name, owner owner_name."

If you change restricted decrypt permission from 1 to 0, the rows that reflect explicit grants remain in the sysprotects system table. However, these rows have no effect on implicitly granted decrypt permissions because SAP ASE does not check sysprotects to make sure decrypt permission can be implicitly granted. sp_helprotect displays misleading information for only those users who were granted or revoked explicit decrypt permission before you reconfigure the system, and who now have implicit decrypt permission.

SAP recommends that, to keep the system consistent, you revoke any explicit decrypt permissions granted to users before you switch between enabling or disabling restricted decrypt permission to keep the system consistent.

See the Encryption Users Guide for more information about decrypt permissions.