Security Guide : 2. Authorizing User Access : Users and Profiles : Working with User Objects
 
Share this page                  
Working with User Objects
You can perform the following basic operations on user objects:
Create and alter user objects
View existing user objects, including the detailed properties of each object
Drop user objects
These tasks can be accomplished using Actian Director, VDBA, or the accessdb forms-based utility.
In SQL, you can use the CREATE USER, ALTER USER, and DROP USER statements when working in a session connected to the iidbdb database.
Note:  Many of the features associated with a user object, such as subject privileges, password, expiration date, and security auditing, are security-related features, described later in this guide.
Create a New User with Accessdb
You must have maintain_users permission to authorize users. Using the accessdb utility, you can add, modify, or delete users and grant them database access permissions.
To authorize a new user
1. Start accessdb by issuing the following command at the operating system prompt:
accessdb
The accessdb main menu appears.
2. Select Users from the accessdb main menu.
The Users Catalog screen appears.
3. Select Create.
The Create a User screen appears.
4. Type the user information into the following fields:
User Name
Login name of the user. The name can be a regular or delimited identifier.
For example, to use a numeric user ID, the name must be delimited (enclosed in double quotes, as in "888282").
(For details on delimited identifiers, see the SQL Language Guide.)
Profile for User
(Optional) Default profile for the user.
Default Group
(Optional) Default group (see Groups) the user is assigned to.
Expire Date
(Optional) User expiration date (see User Expiration Date).
Note:  After you save the user definition, you can assign a User Password (see User Password). A user password is optional unless the user will require DBMS authentication.
5. In the Permissions section, change the default subject privilege settings for the user by tabbing to the desired field and typing the appropriate value:
y
Grants the privilege
n
Denies the privilege
r
Makes the privilege requestable. For details on requestable privileges, see SET SESSION in the SQL Language Guide.
6. Select Save from the menu.
The user entry is saved.
7. Repeat steps 3-6 for each new user you want to authorize.
8. Select End twice.
You are returned to the accessdb main menu.
9. Select Quit.
Note:  If you do not see the Quit function listed, press ESC to scroll through the menu options.
The accessdb utility ends.
User Expiration Date
The user expiration date is an optional part of the user definition. It determines the date after which the user can no longer access Vector.
An expiration date can be specified as any valid Vector date or as a date or time interval. For example, you might specify an interval of ‘1 month’ or ‘1 year,’ or an absolute date, such as ‘5‑jan‑2007.’
The user expiration date is checked each time the user connects to the DBMS Server. If the expiration date has passed, then access is denied.
To enable an expired user to connect, the associated user (or profile) object must be modified to reset the expiration date.
User Password
A password can be specified as part of the user definition.
How the password is used depends on whether DBMS authentication is enabled. If it is enabled, the user name and password supplied by the connection attempt must match this user name and password. If no password is supplied by the connecting application, a remote connection attempt fails. A local connection attempt with no password will succeed, assuming that the user was not defined with DBMS_AUTHENTICATION = 'REQUIRED'.
If DBMS authentication is not enabled, the DBMS password operates as a second level of password after the initial connection is established (using the configured GCF security mechanism, such as authentication against an OS user and password). In this case, the application sends the DBMS password in the clear, after the connection is established. If no DBMS password is provided by the application, the DBMS server asks the client libraries to prompt for one if possible; or, the connection attempt fails if no prompting is possible.
When a session requires a password and one is not specified, a prompt requests a password. For security reasons, a password prompt is issued if either a required password is missing or the user name is unknown or illegal. This behavior is consistent with that of operating systems during logon.
Note:  If a user with the Security privilege starts a session using the –u flag to impersonate another user, the real user’s password--not the impersonator’s--is required.
A user with the Change_Password privilege is permitted to change his own password; to do so, however, he must supply his old password. A user with the maintain_users privilege can change the password of another user, in addition to changing the method of password validation or removing the password altogether.
Note:  Passwords also apply to roles.
Authorize Multiple Users with SQLscript
Using accessdb you can create a file of the users at your installation and their corresponding permissions. This file is useful for copying installations.
To create a file of users
1. From the accessdb main menu choose Users.
The Users Catalog screen appears.
2. Choose the SQLscript menu item.
The accessdb utility creates an SQL script and displays an SQLscript message indicating the file location.
3. Press Return.
The message is cleared from the screen.
4. Select End.
Note:  If you do not see the End function listed, press ESC to scroll through the menu options.
You are returned to the accessdb main menu.
Note:  The SQLscript function creates users only, not the profiles, groups, or roles associated with each user. Roles and groups must be unloaded and reloaded for the script to generate the expected results.