3. Assigning Privileges and Granting Permissions : Subject Privileges : Sets of Privileges Associated with a Session
 
Share this page                  
Sets of Privileges Associated with a Session
In addition to assigning subject privileges to a user, Vector lets you define a default set of subject privileges that will be available at session startup.
In addition, any privilege assigned to the user can be added or dropped during the life of the session; this capability effectively applies the principle of least privilege.
The principle of least privilege asserts that a subject must have the minimum privileges required to perform an operation, and that these privileges must be active for the minimum amount of time necessary to perform that operation.
Thus, a session has three sets of privileges associated with it:
The default privilege set contains those privileges that become active when a connection to Vector is initiated.
The working privilege set contains those privileges that are active at any particular time (at session startup, the working privilege set is equivalent to the default privilege set).
The maximum privilege set contains all privileges that a particular user is allowed to have.
The working privilege set is determined during the life of the session, when privileges can be made active as necessary to allow a privileged operation to be performed and made inactive on completion of the task.
The working privilege set is specified using the SET SESSION statement. Using SET SESSION, you can:
Add allowed privileges to the working privilege set
Drop privileges from the working privilege set
Replace the working privilege set with specified allowed privileges
Set the working privilege set to all allowed privileges
Reset the working privilege set to the default privilege set
Remove all privileges from the working privilege set
In VDBA, the maximum privilege set consists of all the privileges enabled in the Active by Request column of the Create User or Alter User dialog. The default privilege set, which is a subset of the maximum privilege set, consists of all the privileges enabled in the Active by Default column of the Create User or Alter User dialog.