Starting with Adaptive Server 15.7 ESD #2, role-privilege management model has been enhanced:
New grantable system privileges that are granular have been added to enforce principles of Separation of Duties (SOD) and Least Privilege (LP). These grantable system permissions can be server-wide privileges or database-wide privileges.
System-defined roles sa_role, sso_role, oper_role, replication_role, and keycustodian_role are now reconstructed as privilege containers consisting of a set of explicitly granted privileges.
Custom roles can now be created from out-of-box system-defined roles by granting or revoking privileges.
CREATE PROCEDURE statement now supports a new EXECUTE AS OWNER | CALLER option. Then, ASE checks runtime permissions, executes DDL, and resolves object names as procedure owner or as procedure caller.
The enhanced role-privilege management model is enabled by using the new enable granular permissions configuration option.
See Adaptive Server Enterprise 15.7 ESD #2 documentation.
jConnect for JDBC, Adaptive Server Enterprise ODBC Driver, Adaptive Server Enterprise OLE DB Provider, and Adaptive Server Enterprise ADO.NET Data Provider support the new role-privilege management model when connected to an Adaptive Server with the new model enabled.
To support returning information about the predicate used to grant predicated permissions, the following methods return an additional column named PREDICATE:
ODBC – SQLColumnPrivileges() and SQLTablePrivileges()
JDBC – ResultSet getColumnPrivileges() and ResultSet getTablePrivileges()
OLE DB – IDBSchemaRowset::GetRowset(DBSCHEMA_COLUMN_PRIVILEGES) and IDBSchemaRowset::GetRowset(DBSCHEMA_TABLE_PRIVILEGES)
If granular permissions are set up on the database, the methods return additional rows to convey the granular permissions.
There is no change in the behavior of the ADO.NET methods.
