A user can temporarily assume the identity of another user in the database (also known as impersonation) to perform operations, provided they have a superset of the privileges of the person they are impersonating. This restriction is referred to as the at-least criteria, and it extends to administrative rights and object-level privileges as well. If a user does not have at least the same privileges and administrative rights as the user they want to impersonate, they cannot impersonate them.
You might wonder why, if a user meets and even exceeds the at-least criteria, they don't just perform the operations themselves, instead of impersonating another user to do so. The reason is that if the impersonator has more privileges than required for the task, the additional privileges can affect the output of the task. Impersonating the user who normally performs the task negates this possibility. The goal is to recreate the privileges, and potentially the database options, that are in effect for the user who is being impersonated.
The ability to impersonate another user is controlled by the SET USER system privilege. When you grant the SET USER system privilege, you can configure who the user can impersonate to be one of the following:
any user in the database
users from a specified list of users
users who are grantees of one or more of a specified list of roles
The at-least criteria is not evaluated at the time the SET USER system privilege is granted. Instead, it is evaluated when a user attempts to impersonate another user by executing a SETUSER statement.
While an impersonation session is in progress, any GRANT or REVOKE operations that would cause the at-least criteria to be violated are disallowed by the database server, and an error message is returned indicating the grant or revoke operation cannot proceed.
Discuss this page in DocCommentXchange.
|Copyright © 2014, SAP AG or an SAP affiliate company. - SAP Sybase SQL Anywhere 16.0|