Add a role as an underlying role of a standalone role. Members of the system role
inherit the system privileges of the underlying role, but do not become members of the
underlying role. Members of the underlying role do not become members of the standalone
role.
Prerequisites
| Database Version |
Role-Based System Role Privileges |
|---|
| SAP Sybase IQ 15.3 and 15.4 |
Not supported. |
| SAP Sybase IQ
16.0 |
To enable the Manage Roles option requires the MANAGE ROLES
system privilege.To then add an underlying role requires one of: - Administrative rights over the underlying role (role
administrator).
- MANAGE ROLES system privilege if the underlying role has a
global role administrator.
|
- The
SAP Sybase IQ resource is authenticated and running.
- The selected resource supports role-based
security
Task- In the Perspective Resources view, select the resource and
select .
- In the left pane, select .
- Select a system role from the right pane and either:
- Click the arrow to the right of the name and select Manage
Roles, or
- From the Administration Console menu bar, select .
Warning! When adding an underlying role to a role, be sure you select the correct menu option.
Each option has different inheritance outcomes. To review the differences, see
Security Implications of the Managing Grantees and Managing Roles
Options.
A list of underlying roles currently granted to the system role
appears.
- Click Grant.
- Select one or more underlying roles to grant.
Tip: Use Shift-click or
Control-click to select multiple roles.
- Click OK to grant the role.
Newly granted underlying roles appear with Role only rights
(no administrative rights).
- (Optional) (For compatibility and user-defined roles only) To modify the
administrative rights of an underlying role, highlight a role. Click in the Grant Options column, click the arrow,
and select the administrative rights to be granted.
| Grant Option |
Description |
|---|
| Role only |
(default) Grantee can use the underlying system privileges of the
role only. |
| Administrative only |
Grantee can grant and revoke the selected role to other users and
roles, but cannot use its underlying system privileges. |
| Administrative and role |
Grantee can grant and revoke the selected role to other users and
roles and use its underlying system privileges. |
Note: The following
steps represent a behavior change with SAP Sybase IQ 16.0,
for the following roles only. - SYS_AUTH_DBA_ROLE
- SYS_AUTH_BACKUP_ROLE
- SYS_RUN_REPLICATION_ROLE
- SYS_AUTH_RESOURCE_ROLE
- SYS_AUTH_VALIDATE_ROLE
Prior to 16.0, when
granting membership to one of these roles, the default inheritance behavior was to
not allow members of the role to automatically inherit the underlying system
privileges and roles of the compatibility role. Only the log on user (of the role)
would inherit. As of 16.0, the default behavior is to allow automatic inheritance by
all members of the role.
- (Optional for SYS_AUTH_DBA_ROLE
only) To prevent automatic inheritance of the SYS_AUTH_DBA_ROLE when granted with
the Administrative and Role option, click in the Inheritance
column, and select No Inheritance.
- (Optional for SYS_AUTH_DBA_ROLE,
SYS_AUTH_BACKUP_ROLE, SYS_RUN_REPLICATION_ROLE, SYS_AUTH_RESOURCE_ROLE, or
SYS_AUTH_VALIDATE_ROLE only) To prevent automatic inheritance when granted with
Role only option, click in the Inheritance column, and
select No Inheritance.
- Click OK.