Granular permissions enable you to grant system privileges; allowing you to construct
site-specific roles with privileges to match your requirements, and restrict system
administrators and database owners from accessing user data.
The granular permissions feature requires the ASE_PRIVACY license.
To enable granular permissions, set the configuration parameter
enable granular permissions to 1.
You must have sso_role privileges to turn on granular permissions, and the
manage security configuration system privilege to turn off
granular permissions.
To grant the following permissions, the
system privilege
manage server permissions is
required, and to access database
sybsecurity, the system privilege
manage security permissions is required:
- checkpoint
- dump database
- load database
- online database
- own database
- use database
When
enable granular permissions
is set to 1:
- Checks for permissions are conducted and only users with the
appropriate permissions see the menu options available for setting those
permissions. For example, the Change Password option
is available only if you have Manage Any Encryption
Key permission, or if you are the key owner for the column
encryption key.
- System-defined roles (sa_role, sso_role, oper_role, and
replication_role) are explicitly granted a set of default privileges. You
have the option to revoke explicitly granted system privileges from
system-defined roles.
- The system privilege manage
security permissions is required to restore dbo user
privileges.
By default, the sa_role is granted the system privilege own any database. This privilege allows a system
administrator to become the database owner of any user database. However, database
owners can revoke the own any database
privilege from the sa_role.
To generate DDL for encryption keys, logins, and roles:
- You must have the Select Any System Catalog privilege on
the master database to generate DDL for logins or roles.
- For encryption keys, you must have Select Any System
Catalog privilege on the database where the encryption key
resides.
Select Any System Catalog is not an automatically granted
privilege, even if you can access system catalogs. If you have sso_role, you are
automatically given the
Manage Security Permissions privilege when
granular permission is enabled. Once you have the
Manage Security
Permissions permission, you can grant the
Select Any System
Catalog privilege to yourself or other users to allow access to
generate DDL.
For complete information about how to manage granular permissions in
SAP ASE, see the Security Administration Guide.