A user can successfully impersonate another user only if the at-least criteria are met. Validation of the criteria occurs when a SETUSER statement is executed, not when the SET USER system privilege is granted. If a user fails to meet any of the criteria when the SETUSER statement is issued, the impersonation attempt fails, and an error is returned.
There are four criteria for successful impersonation:
The impersonator has been granted the right to impersonate the target user.
The impersonator has, at minimum, all the roles and system privileges granted to the target user.
The impersonator has been granted the roles and system privileges with similar or more administrative rights.
For the purposes of meeting administrative rights criteria, the WITH ADMIN OPTION and WITH ADMIN ONLY OPTION clauses are considered to grant similar administrative rights. They are also considered to grant more administrative rights than the WITH NO ADMIN OPTION clause. For example, User1 is granted Role1 with the WITH ADMIN OPTION clause, User2 is granted Role1 with the WITH ADMIN ONLY clause, and User3 is granted Role1 with the WITH NO ADMIN OPTION clause. User1 and User2 are considered to have Role1 with similar administrative rights. User1 and User2 are also considered to have Role1 with more administrative rights than User3.
If the target user has been granted a system privilege which supports additional parameters, also known as extensions, (for example, you can provide a list of user IDs when granting the SET USER system privilege), the clauses used to grant the system privilege to the impersonator are a superset of those used for the target user.
Currently, only the SET USER and CHANGE PASSWORD system privileges support extensions. The extensions specified when granting SET USER and CHANGE PASSWORD to the impersonator must be equal to, or a super-set of, those specified when SET USER or CHANGE PASSWORD were granted to the target user. This is evaluated as follows:
The ANY extension is considered a superset to a role-list extension (list of roles) and a users-list extension (list of users). If the target user has the SET USER system privilege with the ANY extension (for example, GRANT SET USER ANY TO user1), the impersonator must also have the ANY extension.
If the target user has the SET USER system privilege with both the role-list and users-list extensions, the impersonator must also have the system privilege with the two extensions, and list for each extension must be equal to, or a superset to, the corresponding extension of the target user. For example, if the extension lists of both the impersonator and the target user contain User1, User2 and Role1, Role2, respectively, then the target list grants for each clause are considered equal. Alternately, if users-list for the impersonator contain User1, User2, Role1, Role2, respectively, while users-list for the target user contain User1, Role2 only, the impersonator's users-list is considered a superset to that of the target user.
If the target user has the SET USER system privilege with a single list extension, the extension list of the impersonator must be equal to, or a superset to, the list of the target user. For example, if the user_list of both the impersonator and the target user contain User1 and User2, they are considered equal. If user_list for the impersonator contains User1, User2, while user_list for the target user contains only User2, then user_list for the impersonator is considered to be a superset to user_list of the target user.
So if the impersonator has the SET USER or CHANGE PASSWORD system privileges with extensions that limit who they can use them on, but the target user has the system privileges with no limitations, the impersonation will fail because the at-least criteria regarding extensions has not been met.
Scenario 1 Scenario 2 Scenario 3 See also |
Discuter à propos de cette page dans DocCommentXchange.
|
Copyright © 2013, SAP AG ou société affiliée SAP - SAP Sybase SQL Anywhere 16.0 |