Adaptive Server protects data privacy from the powers of the administrator even if you use the master key or system encryption password for key protection. If you prefer to avoid password management and use the master key or the system encryption password to protect encryption keys, you can restrict access to private data from the database owner by setting the restricted decrypt permission configuration parameter. System security officers (SSOs) can use this parameter to control which users have decrypt permission. Once restricted decrypt permission is enabled, the SSO is the only user who receives implicit decrypt permission and who has implicit privilege to grant that permission to others. The SSO determines which users receive decrypt permission, or delegates this job to another user by granting decrypt permission with the with grant option. Table owners do not automatically have decrypt permission on their tables.
Users with execute permission on stored procedures or user-defined functions do not have implicit permission to decrypt data selected by the procedure or function. Users with decrypt permission on a view column do not have implicit permission to decrypt data selected by the view.
Users with aliases continue to inherit all decrypt permissions of the user to whom they are aliased. set proxy/set user statements continue to allow the administrator or database owner the decrypt permissions of the user whose identity is assumed by this command.