restricted decrypt permission enables or disables restricted decrypt permission in all databases. You must have the sso_role to set this parameter.
|
Summary Information |
|
|---|---|
|
Default value |
0 |
|
Range of values |
0 (off), 1 (on) |
|
Status |
Dynamic |
|
Display level |
Basic |
|
Required role |
System security officer |
|
Configuration group |
Security Related |
The table owner or the SSO explicitly grants decrypt permission. However, with grant option on decrypt permission is supported.
Decrypt permission is granted implicitly to table owners and the SSO, as well as to any user through a chain of ownership. For example, if user Fred owns the proc1 stored procedure, which selects data from the encrypted column fred.table1.col1, and if Fred grants exec permission on proc1 to Harry, then Harry has implicit decrypt permission on fred.table1.col1
Decrypt permission is not needed for alter table decrypt. because the table owner has implicit decrypt permission on encrypted columns.
Decrypt permission is granted implicitly only to the SSO.
grant decrypt on user3.user3_tab to user1 with grant option
If you use a system encryption password, SAP recommends that, to protect data privacy, you do not grant decrypt permission to the DBO to. Access to keys through user passwords prevents the DBO and other parties from accessing the data unless they have a key’s password; however, you may find it convenient for the DBO to decide which users should see the decrypted data. If you are not protecting keys and data with user-specified passwords, the SSO should retain the sole responsibility to grant decrypt permission.
Table ownership does not give a user implicit decrypt permission. That is, if you create a table with encrypted columns, you do not have decrypt permission on them unless it is explicitly granted to you.
No user is implicitly granted decrypt permission through an ownership chain. For example, if Fred owns the proc1 stored procedure, which selects data from the encrypted column fred.table1.col1, and if Fred grants exec permission on proc1 to Harry, then Harry must also have explicit decrypt permission on fred.table1.col1 to see the data.
Aliased users assume the permissions of the user to whom they are aliased. Similarly, a user with sa_role, who is implicitly aliased to the DBO in any database, inherits any decrypt permissions that have been explicitly granted to the DBO.
Decrypt permission is required for alter table decrypt statement because the table owner does not have implicit decrypt permission on the table.
Msg 10330 "DECRYPT permission denied on object object_name, database database_name, owner owner_name."
If you change restricted decrypt permission from 1 to 0, the rows that reflect explicit grants remain in the sysprotects system table. However, these rows have no effect on implicitly granted decrypt permissions because SAP ASE does not check sysprotects to make sure decrypt permission can be implicitly granted. sp_helprotect displays misleading information for only those users who were granted or revoked explicit decrypt permission before you reconfigure the system, and who now have implicit decrypt permission.
SAP recommends that, to keep the system consistent, you revoke any explicit decrypt permissions granted to users before you switch between enabling or disabling restricted decrypt permission to keep the system consistent.
See the Encryption Users Guide for more information about decrypt permissions.