The privileges that a role or user has can be grouped into categories as follows:
Privileges explicitly granted to a user or group (role) These are the privileges that are explicitly set for a user or role to control whether they can create, execute, delete, modify, or use specified database objects. See Granting an object-level privilege (Sybase Central).
You cannot revoke a privilege that was not explicitly granted. For example, suppose user BobW is a member of a role called Sales. If a user grants DELETE privilege on the table T to the Sales role, then BobW can delete rows from table T. To prevent BobW from deleting from table T, you cannot revoke DELETE on the table T from BobW, since the DELETE ON T privilege was never explicitly granted to BobW.
Privileges acquired through ownership of an object A user who creates a new object within the database is called the owner of that object, and automatically has permission to perform any operation on that object. For example, the owner of a table can modify the structure of that table, or can grant permissions to other database users to update the information within the table.
If a user is a user-extended role, grantees of that role do not inherit the privileges associated with ownership of the objects. The privileges must be explicitly granted to them, or inherited by them through a role.
For object-level privileges, ownership of database objects is associated with a single user ID. When the owner is a user-extended role or standalone role, ownership of the database object is not inherited by its grantees. For example, if a user-extended role or a standalone role owns objects, grantees of the user-extended role or standalone role cannot automatically query the objects; they must still be given SELECT privilege to query the objects.
Privileges inherited through groups Groups are achieved through user-defined roles, so the inheritance of privileges through group membership is the same as through roles.
Privileges granted on disabled objects You can grant privileges on disabled objects. Privileges for disabled objects are stored in the database and become effective when the object is enabled. The inheritance hierarchy can have many levels if roles have been granted to roles.
To view the roles and privileges that a role or user has, see Viewing the roles and privileges for a user or role (Sybase Central) and Viewing the roles and privileges for a user or role (SQL).
The following scenarios show how privileges are inherited, especially with regard to different grant levels of administration rights through inheritance.
Discuss this page in DocCommentXchange.
|Copyright © 2014, SAP AG or an SAP affiliate company. - SAP Sybase SQL Anywhere 16.0|