grant role

Syntax

grant role role_name
		[where pred_expression]
	to {username | rolename | login_profile_name }

Parameters

role_name – is the name of a system- or user-defined role that the system security officer is granting to a user or a role.
where pred_expression – also referred to as a role-activation predicate, this is a SQL condition that must be satisfied when the named role is activated. pred_expression may be used only when granting a role to username or login_profile_name.If pred_expression evaluates to FALSE when the role is activated, the set role command fails and the SAP ASE server returns an error message. If the role is specified for automatic activation or is a default role, the SAP ASE server silently fails the activation but does not fail the login process.
to username | rolename | login_profile_name – identifies the name of the login, role or login profile to which you are granting the role. When the grantee is a login profile, all users with this login profile are granted the role.

Examples

Example 1 – Grants the role “doctor” to Mary:
```
grant role doctor_role to mary
```
Example 2 – By granting intern_role to doctor_role, a doctor inherits all the privileges of an intern.
```
grant role intern_role to doctor_role
```
Example 3 – User Smith, with manage roles privileges, grants the nurse_role to user John, with user roleAdmin as the grantor.
```
grant role nurse_role to john
granted by roleAdmin
```
Example 4 – Grants role ldap_user_role to login profile lp_10:
```
grant role ldap_user_role where
  get_appcontext(login_authentication) = 'LDAP'
  to login_profile lp_10
```
Using the above example, when the session of a user assigned login profile lp_10 enables ldap_user_role, the SAP ASE server checks that the session connected using LDAP. If there was an LDAP connection, the user assumes ldap_user_role; if not, ldap_user_role is not enabled. Configure the predicate evaluation to occur automatically during login by altering login profile lp_10 and specifying ldap_user_role on the auto activated roles attribute. Otherwise, the evaluation of the role activation predicate occurs when the user assigned lp_10 executes the set role statement.

Usage

The SAP ASE server automatically activates roles granted to logins or login profiles (after evaluating any predicate) when the user logs in if create login, alter login, create login profile, or alter login profile specify the role for automatic activation. Otherwise, the SAP ASE server activates the role when set role is executed. Adaptive automatically activates a role granted to another role when the dependent role is activated.

You can use the grant command to grant permissions to all users who have been granted a specified role. The role can be either a system role, like sso_role or sa_role, or a user-defined role. The system security officers must create the user-defined roles using a create role command.

Permissions

The permission checks for grant role differ based on your granular permissions settings.

Setting	Description
Enabled	With granular permissions enabled, you must be a user with `manage roles` privilege.
Disabled	With granular permissions disabled, you must be a user with sso_role. To grant sa_role, you must be a user with sa_role.

Auditing

Values in event and extrainfo columns of sysaudits are:

Information	Values
Event	85
Audit option	roles
Command or access audited	create role, drop role, alter role, grant role, or revoke role
Information in `extrainfo`	Roles – current active roles Keywords or options – Full command text of the grant role statement Previous value – NULL Current value – NULL Other information – NULL Proxy information – original login name, if set proxy is in effect