Restrict access to private data from the database owner by setting the restricted decrypt permission configuration parameter.
SAP ASE protects data privacy from the powers of the administrator even if you use the master key or system encryption password for key protection. If you prefer to avoid password management and use the master key or the system encryption password to protect encryption keys, you can restrict access to private data from the database owner by setting the restricted decrypt permission configuration parameter. System security officers (SSOs) can use this parameter to control which users have decrypt permission. Once restricted decrypt permission is enabled, the SSO is the only user who receives implicit decrypt permission and who has implicit privilege to grant that permission to others. The SSO determines which users receive decrypt permission, or delegates this job to another user by granting decrypt permission with the with grant option. Table owners do not automatically have decrypt permission on their tables.
Users with execute permission on stored procedures or user-defined functions do not have implicit permission to decrypt data selected by the procedure or function. Users with decrypt permission on a view column do not have implicit permission to decrypt data selected by the view.
System security officer – configures restricted decrypt permission, creates encryption keys, grants select permission on keys to the database owner, and grants decrypt permission to the end user.
Database owner – creates the schema and loads data.