In pre-16.0 databases, if you granted the DBA, REMOTE DBA, BACKUP, RESOURCE AND VALIDATE authorities to a group, the underlying permissions were not inherited by members of the group.
Now, however, the default behavior when granting any role (including SYS_AUTH_DBA_ROLE, SYS_RUN_REPLICATION_ROLE, SYS_AUTH_BACKUP_ROLE, SYS_AUTH_RESOURCE_ROLE, and SYS_AUTH_VALIDATE_ROLE) to a user-defined role is to allow those who have been granted the user-defined role to inherit the underlying system privileges of these roles.
Suppose you have a user, userA. You grant userA the ALTER ANY OBJECT system privilege. You then decide to extend userA to become a role, and then grant userA to userB. Now you want to grant the SYS_AUTH_DBA_ROLE system role to userA, but you don't want userB to inherit all the privileges that the SYS_AUTH_DBA_ROLE system role gives. You would therefore grant the SYS_AUTH_DBA_ROLE system role as follows:
GRANT ROLE SYS_AUTH_DBA_ROLE TO userA WITH NO SYSTEM PRIVILEGE INHERITANCE;
In this scenario, userB inherits only the ALTER ANY OBJECT system privilege from userA.
To retain the non-inheritance behavior of these roles during upgrade, SQL Anywhere includes a WITH NO SYSTEM PRIVILEGE INHERITANCE clause in the GRANT ROLE statement. Likewise, if you have applications that you are changing to use the new GRANT syntax, you must specify this clause as well. This clause is only for use with these specific roles.
Discuss this page in DocCommentXchange.
|Copyright © 2014, SAP AG or an SAP affiliate company. - SAP Sybase SQL Anywhere 16.0|