Changing Administrative Rights on an Underlying Role of a System Role

Changes a member's (grantee's) ability to manage an underlying role of a system role.

Prerequisites
Database Version Role-Based System Role Privileges
SAP Sybase IQ 15.3 and 15.4 Not supported.
SAP Sybase IQ 16.0 To enable the Manage Roles option requires the MANAGE ROLES system privilege.
To then add an underlying role requires one of:
  • Administrative rights over the underlying role (role administrator).
  • MANAGE ROLES system privilege if the underlying role has a global role administrator.
Task

Administrative rights on any default underlying roles of a system role cannot be changed.

  1. In the Perspective Resources view, select the resource and select Resource > Administration Console.
  2. In the left pane, select IQ Servers > Security > Role-Based > Standalone Roles.
  3. Select a standalone role from the right pane and either:
    • Click the arrow to the right of the name and select Manage Roles, or
    • From the Administration Console menu bar, select Resource > Manage Roles.
      Warning!  When modifying the administrative rights of a grantee which is also a role, be sure you select the correct menu option. Each option has different inheritance outcomes. To review the differences, see Security Implications of the Managing Grantees and Managing Roles Options.
    A list of underlying roles currently granted to the standalone role appears.
  4. (Not applicable to system roles) Highlight a role to be modified. Click in the Grant Option column, click the arrow, and select the administrative rights to be granted.
    Grant Option Description
    Role only (default) Grantee can use the underlying system privileges of the role only.
    Administrative only Grantee can grant and revoke the selected role to other users and roles, but cannot use its underlying system privileges.
    Administrative and role Grantee can grant and revoke the selected role to other users and roles and use its underlying system privileges.
    Note: The following steps represent a behavior change with SAP Sybase IQ 16.0, for the following roles only.
    • SYS_AUTH_DBA_ROLE
    • SYS_AUTH_BACKUP_ROLE
    • SYS_RUN_REPLICATION_ROLE
    • SYS_AUTH_RESOURCE_ROLE
    • SYS_AUTH_VALIDATE_ROLE
    Prior to 16.0, when granting membership to one of these roles, the default inheritance behavior was to not allow members of the role to automatically inherit the underlying system privileges and roles of the compatibility role. Only the log on user (of the role) would inherit. As of 16.0, the default behavior is to allow automatic inheritance by all members of the role.
  5. (Optional for SYS_AUTH_DBA_ROLE only) To prevent automatic inheritance of the SYS_AUTH_DBA_ROLE when granted with the Administrative and Role option, click in the Inheritance column, and select No Inheritance.
  6. (Optional for SYS_AUTH_DBA_ROLE, SYS_AUTH_BACKUP_ROLE, SYS_RUN_REPLICATION_ROLE, SYS_AUTH_RESOURCE_ROLE, or SYS_AUTH_VALIDATE_ROLE only) To prevent automatic inheritance when granted with Role only option, click in the Inheritance column, and select No Inheritance.
  7. Click OK.
Parent topic: System Roles
Related concepts
Security Implications of the Managing Grantees and Managing Roles Options
Related tasks
View Grantees of a System Role
View Underlying Roles of a System Role
View System Privileges Granted to a System Role
Adding a Grantee to a System Role
Removing a Grantee from a System Role
Adding a Role to a System Role
Removing a Role from a System Role
Adding a System Privilege to a System Role
Changing Administrative Rights on a System Role Granted Privilege
Removing a System Privilege from a System Role
Authenticating a Login Account for a Managed Resource
Related reference
Role-Based System Role Privilege Summary