Add a role as an underlying role of a user-extended role. Members of the user-extended
role inherit all system privileges and roles of the underlying role, but do not become members
of the underlying role. Members of the underlying role do not become members of the
user-extended role.
Prerequisites
| Database Version |
Role-Based User-Extended Role Privileges |
|---|
| SAP Sybase IQ 15.3 and 15.4 |
Not supported. |
| SAP Sybase IQ
16.0 |
To enable the Manage Roles option requires one of:- Administrative rights over the role (role administrator).
- MANAGE ROLES system privilege if the role has a global role administrator.
To then add an underlying system role requires MANAGE ROLES
system privilege.
To then add an underlying user-defined or
compatibility role requires one of: - Administrative rights over the underlying role (role
administrator).
- MANAGE ROLES system privilege if the underlying role has a
global role administrator.
|
- The
SAP Sybase IQ resource is authenticated and running.
- The selected resource supports role-based
security
Task- In the Perspective Resources view, select the resource and
select .
- In the left pane, select .
- Select a role from the right pane and either:
- Click the arrow to the right of the name and select Manage
Roles, or
- From the Administration Console menu bar, select .
Warning! When adding an underlying role to a role, be sure you select the correct menu option.
Each option has different inheritance outcomes. To review the differences, see
Security Implications of the Managing Grantees and Managing Roles
Options.
A list of roles currently granted to the user-extended role
appears.
- Click Grant.
- Select one or more system or compatibility roles to grant. Only roles to which you have administrative
rights appear on the list.
Tip: Use Shift-click or
Control-click to select multiple roles.
- Click OK.
The selected roles appear with Role only rights
(no administrative rights).
- (Optional) (For compatibility and user-defined roles only) To modify the
administrative rights of an underlying role, highlight a role. Click in the Grant Options column, click the arrow,
and select the administrative rights to be granted.
| Grant Option |
Description |
|---|
| Role only |
(default) Grantee can use the underlying system privileges of the
role only. |
| Administrative only |
Grantee can grant and revoke the selected role to other users and
roles, but cannot use its underlying system privileges. |
| Administrative and role |
Grantee can grant and revoke the selected role to other users and
roles and use its underlying system privileges. |
Note: The following
steps represent a behavior change with SAP Sybase IQ 16.0,
for the following roles only. - SYS_AUTH_DBA_ROLE
- SYS_AUTH_BACKUP_ROLE
- SYS_RUN_REPLICATION_ROLE
- SYS_AUTH_RESOURCE_ROLE
- SYS_AUTH_VALIDATE_ROLE
Prior to 16.0, when
granting membership to one of these roles, the default inheritance behavior was to
not allow members of the role to automatically inherit the underlying system
privileges and roles of the compatibility role. Only the log on user (of the role)
would inherit. As of 16.0, the default behavior is to allow automatic inheritance by
all members of the role.
- (Optional for SYS_AUTH_DBA_ROLE
only) To prevent automatic inheritance of the SYS_AUTH_DBA_ROLE when granted with
the Administrative and Role option, click in the Inheritance
column, and select No Inheritance.
- (Optional for SYS_AUTH_DBA_ROLE,
SYS_AUTH_BACKUP_ROLE, SYS_RUN_REPLICATION_ROLE, SYS_AUTH_RESOURCE_ROLE, or
SYS_AUTH_VALIDATE_ROLE only) To prevent automatic inheritance when granted with
Role only option, click in the Inheritance column, and
select No Inheritance.
- Click OK.