Assigning Privileges and Granting Permissions
Subject Privileges
A subject privilege defines the type of operations permissible in a user session. Subject privileges are assigned to a user (subject).
Subject privileges are typically assigned when a user object is created or modified. Subject privileges can also be assigned to roles, as discussed in
Groups and Roles.
To set or change subject privileges for a user, you must have the maintain_users privilege.
IMPORTANT! Subject privileges allow many trusted operations to be performed. Therefore, assign privileges with care, especially the Security privilege.
The subject privileges are as follows:
auditor
Enables the user to query the security audit log
change_password
Enables the user to change his password.
createdb
Enables the user to create and destroy databases
maintain_audit
Enables the user to control what information is written to the security audit log
maintain_locations
Enables the user to manage database and file locations
maintain_users
Enables the user to perform various user-related functions, such as creating users and roles
operator
Enables the user to perform database backups and other maintenance operations
security
Enables the user to perform security-related operations, including impersonating other users, and to avoid certain security checks, such as database privilege checks
trace
Enables the user access to tracing and debugging features
unmask
Allows the user to see masked columns without masking, to use the MASK_COLUMN() function in views, and to use COPY INTO when a table contains columns marked as MASKED
Auditor Privilege
The Auditor privilege allows a user to obtain information from the audit log.
A user with this privilege can:
• Register the audit log file to a virtual table using the REGISTER TABLE statement (or perform the equivalent operation in Actian Director or VDBA).
• Remove the registration for an audit log file using the REMOVE TABLE statement (or perform the equivalent operation in Actian Director or VDBA).
• Query the audit log once it has been registered as a virtual table.
• Obtain the audit log file name by calling dbmsinfo(‘security_audit_log’).
Related Information
Change_Password Privilege
The Change_Password privilege lets the user change his password (but not those of others).
Createdb Privilege
The createdb privilege gives the user the ability to create databases.
This privilege is required to use the createdb system command or to use the equivalent operation in Actian Director or Visual DBA.
Maintain_Audit Privilege
The maintain_audit privilege allows a user to manage auditing features, including determining the security audit activity level for profiles, users, and roles, and the ability to turn security auditing on and off.
The maintain_audit privilege is typically assigned to the system administrator, the database administrator, or a separate security administrator.
A user with this privilege can:
• Enable or disable security auditing (using the ENABLE and DISABLE SECURITY_AUDIT statements or the equivalent operations in Actian Director or VDBA).
• Change the current audit state (using the ALTER SECURITY_AUDIT statement or the equivalent operation in Actian Director or VDBA).
• Determine the security audit activity level when working with profiles, users, and roles (by specifying the SECURITY_AUDIT clause on ALTER/CREATE PROFILE, ALTER/CREATE USER, and ALTER/CREATE ROLE statements, or using Actian Director or VDBA).
Related Information
Maintain_Locations Privilege
The maintain_locations privilege allows a user to control the allocation of disk space, create new locations or allow new locations to be created, and allow existing locations to be modified or removed.
This privilege is needed to issue the CREATE, ALTER, and DROP LOCATION statements (or to perform the equivalent operations on location objects in Actian Director or VDBA).
Maintain_Users Privilege
The maintain_users privilege allows a user to perform various user-related functions.
A user with this privilege can:
• Maintain profiles (using CREATE/ALTER/DROP PROFILE statements or the equivalent operations in Actian Director or VDBA).
• Maintain users (using CREATE/ALTER/DROP USER statements or the equivalent operations in Actian Director or VDBA).
• Maintain groups (using CREATE/ALTER/DROP GROUP statements or the equivalent operations in Actian Director or VDBA).
• Maintain roles (using CREATE/ALTER/DROP ROLE statements or the equivalent operations in Actian Director or VDBA).
Related Information
Operator Privilege
The Operator privilege allows a user to run the following system commands:
• ckpdb
• rollforwarddb
• auditdb
• sysmod
• verifydb
• relocatedb
• fastload
• alterdb
• infodb
A user who is responsible for running Vector requires the Operator privilege.
These system commands can alternatively be run through the Remote Command (rmcmd) Server by a (client) user who has the rmcmd privileges rather than the Operator privilege (assuming that the user who launched rmcmd on the server side has the Operator privileges). The sysmod command, however, requires the client user to have the security privilege or be the user who launched rmcmd on the server side.
Security Privilege
The Security privilege allows a user to monitor the security of the system and the activities of its users. The Security privilege and all other privileges are automatically bestowed on the installation owner.
A user with this privilege can:
• Impersonate other users (using the ‑u flag on commands or performing the equivalent using Actian Director or the Users branch of the Virtual Nodes toolbar in VDBA).
• Connect to any database with unlimited database privileges. (In effect, database privileges are not enforced for users with the Security privilege.)
• Configure database and installation security alarms (using CREATE/DROP SECURITY_ALARM statements or the equivalent operations in Actian Director or VDBA).
IMPORTANT! The Security privilege is powerful because it allows the holder to impersonate any other user. At least one user with the Security privilege is required, but the privilege can be restricted as tightly as possible so that your system security is not compromised.
Note: The security privilege does not allow a user to bypass granted permissions on a database object; unless permission is granted to the user they are impersonating, they will not be able to access the object.
Note: Selecting from IMA tables requires Security privilege; otherwise 0 rows are returned.
Trace Privilege
The Trace privilege allows a user to perform tracing, troubleshooting, and debugging operations. It enables the user to set the debugging trace flags using the following statements:
• SET[NO]PRINTQRY
• SET[NO]RULES
• SET[NO]PRINTRULES
• SET[NO]IO_TRACE
• SET[NO]LOCK_TRACE
• SET[NO]LOG_TRACE
• SET TRACE POINT
The Trace privilege permits access to possibly confidential information, so it should be enabled for the installation owner or security administrator only.
Unmask Privilege
The UNMASK privilege allows the user to:
• View data that is masked
• Use the MASK_COLUMN() function in views to control access to and the presentation of masked data
• Use COPY INTO when a table contains columns marked as MASKED
Sets of Privileges Associated with a Session
In addition to assigning subject privileges to a user, Vector lets you define a default set of subject privileges that will be available at session startup.
In addition, any privilege assigned to the user can be added or dropped during the life of the session; this capability effectively applies the principle of least privilege.
The principle of least privilege asserts that a subject must have the minimum privileges required to perform an operation, and that these privileges must be active for the minimum amount of time necessary to perform that operation.
Thus, a session has three sets of privileges associated with it:
• The default privilege set contains those privileges that become active when a connection to Vector is initiated.
• The working privilege set contains those privileges that are active at any particular time (at session startup, the working privilege set is equivalent to the default privilege set).
• The maximum privilege set contains all privileges that a particular user is allowed to have.
The working privilege set is determined during the life of the session, when privileges can be made active as necessary to allow a privileged operation to be performed and made inactive on completion of the task.
The working privilege set is specified using the SET SESSION statement. Using SET SESSION, you can:
• Add allowed privileges to the working privilege set
• Drop privileges from the working privilege set
• Replace the working privilege set with specified allowed privileges
• Set the working privilege set to all allowed privileges
• Reset the working privilege set to the default privilege set
• Remove all privileges from the working privilege set
In VDBA, the maximum privilege set consists of all the privileges enabled in the Users column of the Create User or Alter User dialog. The default privilege set, which is a subset of the maximum privilege set, consists of all the privileges enabled in the Default column of the Create User or Alter User dialog.