Changes a member's (grantee's) ability to manage an underlying role of a system
role.
Prerequisites
Database Version |
Role-Based System Role Privileges |
SAP Sybase IQ 15.3 and 15.4 |
Not supported. |
SAP Sybase IQ
16.0 |
To enable the Manage Roles option requires the MANAGE ROLES
system privilege.To then add an underlying role requires one of: - Administrative rights over the underlying role (role
administrator).
- MANAGE ROLES system privilege if the underlying role has a
global role administrator.
|
- The
SAP Sybase IQ resource is authenticated and running.
- The selected resource supports role-based
security
Task
Administrative rights on any default underlying roles of a system role cannot be
changed.
- In the Perspective Resources view, select the resource and
select .
- In the left pane, select .
- Select a standalone role from the right pane and either:
- Click the arrow to the right of the name and select Manage
Roles, or
- From the Administration Console menu bar, select .
Warning! When modifying the administrative rights of
a grantee which is also
a role, be sure you select the correct menu option.
Each option has different inheritance outcomes. To review the differences, see
Security Implications of the Managing Grantees and Managing Roles
Options.
A list of underlying roles currently granted to the standalone role
appears.
- (Not applicable to system roles) Highlight a role to be modified. Click in the Grant Option column, click the arrow,
and select the administrative rights to be granted.
Grant Option |
Description |
Role only |
(default) Grantee can use the underlying system privileges of the
role only. |
Administrative only |
Grantee can grant and revoke the selected role to other users and
roles, but cannot use its underlying system privileges. |
Administrative and role |
Grantee can grant and revoke the selected role to other users and
roles and use its underlying system privileges. |
Note: The following
steps represent a behavior change with SAP Sybase IQ 16.0,
for the following roles only. - SYS_AUTH_DBA_ROLE
- SYS_AUTH_BACKUP_ROLE
- SYS_RUN_REPLICATION_ROLE
- SYS_AUTH_RESOURCE_ROLE
- SYS_AUTH_VALIDATE_ROLE
Prior to 16.0, when
granting membership to one of these roles, the default inheritance behavior was to
not allow members of the role to automatically inherit the underlying system
privileges and roles of the compatibility role. Only the log on user (of the role)
would inherit. As of 16.0, the default behavior is to allow automatic inheritance by
all members of the role.
- (Optional for SYS_AUTH_DBA_ROLE
only) To prevent automatic inheritance of the SYS_AUTH_DBA_ROLE when granted with
the Administrative and Role option, click in the Inheritance
column, and select No Inheritance.
- (Optional for SYS_AUTH_DBA_ROLE,
SYS_AUTH_BACKUP_ROLE, SYS_RUN_REPLICATION_ROLE, SYS_AUTH_RESOURCE_ROLE, or
SYS_AUTH_VALIDATE_ROLE only) To prevent automatic inheritance when granted with
Role only option, click in the Inheritance column, and
select No Inheritance.
- Click OK.