A subject privilege defines the type of operations permissible in a user session. Subject privileges are assigned to a user (subject).

Subject privileges are typically assigned when a user object is created or modified. Subject privileges can also be assigned to roles, as discussed in Groups and Roles on page 23.

To set or change subject privileges for a user, you must have the maintain_users privilege.

The subject privileges are as follows:

The Auditor privilege allows a user to obtain information from the audit log.

A user with this privilege can:

The Change_Password privilege lets the user change his password (but not those of others).

The createdb privilege gives the user the ability to create databases.

This privilege is required to use the createdb system command or to use the equivalent operation in Actian Director or Visual DBA.

The maintain_audit privilege allows a user to manage auditing features, including determining the security audit activity level for profiles, users, and roles, and the ability to turn security auditing on and off.

The maintain_audit privilege is typically assigned to the system administrator, the database administrator, or a separate security administrator.

A user with this privilege can:

The maintain_locations privilege allows a user to control the allocation of disk space, create new locations or allow new locations to be created, and allow existing locations to be modified or removed.

This privilege is needed to issue the CREATE, ALTER, and DROP LOCATION statements (or to perform the equivalent operations on location objects in Actian Director or VDBA).

The maintain_users privilege allows a user to perform various user-related functions.

A user who is responsible for running Vector requires the Operator privilege.

These system commands can alternatively be run through the Remote Command (rmcmd) Server by a (client) user who has the rmcmd privileges rather than the Operator privilege (assuming that the user who launched rmcmd on the server side has the Operator privileges). The sysmod command, however, requires the client user to have the security privilege or be the user who launched rmcmd on the server side.

The Security privilege allows a user to monitor the security of the system and the activities of its users. The Security privilege and all other privileges are automatically bestowed on the installation owner.

The Trace privilege allows a user to perform tracing, troubleshooting, and debugging operations. It enables the user to set the debugging trace flags using the following statements:

The Trace privilege permits access to possibly confidential information, so it should be enabled for the installation owner or security administrator only.

The UNMASK privilege allows the user to:

In addition to assigning subject privileges to a user, Vector lets you define a default set of subject privileges that will be available at session startup.

In addition, any privilege assigned to the user can be added or dropped during the life of the session; this capability effectively applies the principle of least privilege.

The principle of least privilege asserts that a subject must have the minimum privileges required to perform an operation, and that these privileges must be active for the minimum amount of time necessary to perform that operation.

Thus, a session has three sets of privileges associated with it:

The working privilege set is determined during the life of the session, when privileges can be made active as necessary to allow a privileged operation to be performed and made inactive on completion of the task.

The working privilege set is specified using the SET SESSION statement. Using SET SESSION, you can:

In VDBA, the maximum privilege set consists of all the privileges enabled in the Users column of the Create User or Alter User dialog. The default privilege set, which is a subset of the maximum privilege set, consists of all the privileges enabled in the Default column of the Create User or Alter User dialog.