Changing Administrative Rights on an Underlying Role of a User-Extended Role

Changes a member's (grantee's) ability to manage an underlying role of a user-extended role.

Prerequisites

Database Version	Role-Based User-Extended Role Privileges
SAP Sybase IQ 15.3 and 15.4	Not supported.
SAP Sybase IQ 16.0	Requires one of: Administrative rights over the role (role administrator). MANAGE ROLES system privilege if the role has a global role administrator.

The SAP Sybase IQ resource is authenticated and running.
The selected resource supports role-based security

Task

Administrative rights cannot be modified on underlying system roles.

In the Perspective Resources view, select the resource and select Resource > Administration Console.
In the left pane, select IQ Servers > Security > Role-Based > User-Extended Role.
Select a user-extended role from the right pane and either:
- Click the arrow to the right of the name and select Manage Roles, or
- From the Administration Console menu bar, select Resource > Manage Roles.
  Warning! When modifying the administrative rights of an underlying role, be sure you select the correct menu option. Each option has different inheritance outcomes. To review the differences, see Security Implications of the Managing Grantees and Managing Roles Options.
A list of underlying roles currently granted to the role appears.

(Not applicable to system roles) Highlight a role to be modified. Click in the Grant Option column, click the arrow, and select the administrative rights to be granted.

Grant Option	Description
Role only	(default) Grantee can use the underlying system privileges of the role only.
Administrative only	Grantee can grant and revoke the selected role to other users and roles, but cannot use its underlying system privileges.
Administrative and role	Grantee can grant and revoke the selected role to other users and roles and use its underlying system privileges.

Note: The following steps represent a behavior change with SAP Sybase IQ 16.0, for the following roles only.

SYS_AUTH_DBA_ROLE
SYS_AUTH_BACKUP_ROLE
SYS_RUN_REPLICATION_ROLE
SYS_AUTH_RESOURCE_ROLE
SYS_AUTH_VALIDATE_ROLE

Prior to 16.0, when granting membership to one of these roles, the default inheritance behavior was to not allow members of the role to automatically inherit the underlying system privileges and roles of the compatibility role. Only the log on user (of the role) would inherit. As of 16.0, the default behavior is to allow automatic inheritance by all members of the role.

(Optional for SYS_AUTH_DBA_ROLE only) To prevent automatic inheritance of the SYS_AUTH_DBA_ROLE when granted with the Administrative and Role option, click in the Inheritance column, and select No Inheritance.
(Optional for SYS_AUTH_DBA_ROLE, SYS_AUTH_BACKUP_ROLE, SYS_RUN_REPLICATION_ROLE, SYS_AUTH_RESOURCE_ROLE, or SYS_AUTH_VALIDATE_ROLE only) To prevent automatic inheritance when granted with Role only option, click in the Inheritance column, and select No Inheritance.
Click OK.