Granular Permissions

Granular permissions enable you to grant system privileges, allowing you to construct site-specific roles with privileges to match your requirements, and restrict system administrators and database owners from accessing user data.

Grantable system privileges are granular and allow you to enforce principles of “separation of duties” (which requires that, for particular sets of operations, no single individual be allowed to execute all operations within the set) and “least privilege” (which requires that all users in an information system should run with as few privileges as are required to do the job).

All granted privileges are immutable. That is, you cannot revoke or grant one privilege from—or to—another privilege. However, privileges may overlap what the grantee can do. Possessing one privilege may imply possessing another, more granular, privilege.

Enabling granular permissions reconstructs system-defined roles (sa_role, sso_role, oper_role, and replication_role) as privilege containers consisting of a set of explicitly granted privileges. You may revoke explicitly granted system privileges from system-defined roles and regrant to the roles.

See "Using Granular Permissions" in the Security Administration Guide for information about using and configuring Adaptive Server with granular permissions. See the Reference Manual: Commands and the Reference Manual: Procedures to see how enabling Adaptive Server for granular permissions affects individual commands and system procedures. .