A user must be granted the SYS_RUN_REPLICATION_ROLE to run synchronization. The SYS_RUN_REPLICATION_ROLE grants a user system privileges, but these privileges can only be used when the user is logged in through an authenticated tool like dbmlsync or SQL Remote. This is similar to the way REMOTE DBA worked.
By default, the SYS_RUN_REPLICATION_ROLE system role includes the SYS_AUTH_DBA_ROLE system role. However, the SYS_AUTH_DBA_ROLE system role can be revoked from the SYS_RUN_REPLICATION_ROLE system role. The SYS_AUTH_DBA_ROLE system role is the only authority that can be removed from the SYS_RUN_REPLICATION_ROLE system role.
The SYS_AUTH_DBA_ROLE system role usually has more authority than is needed to synchronize. To set up a more secure synchronization environment, use one of the following approaches:
Revoke SYS_AUTH_DBA_ROLE from the SYS_RUN_REPLICATION_ROLE system role and grant the following system privileges:
The advantages of this approach are simplicity and the fact these system-level privileges can only be used when the user is connected through an authenticated tool (like dbmlsync or SQL REMOTE). The disadvantage of this approach is that the SYS_RUN_REPLICATION_ROLE system role is granted more privileges than are strictly needed for synchronization. It is given INSERT, UPDATE, DELETE and ALTER privileges on all tables and EXECUTE on all procedures when it only needs these privileges on a few tables and procedures.
Revoke SYS_AUTH_DBA_ROLE from the SYS_RUN_REPLICATION_ROLE system role, create a user-extended role that has the SYS_RUN_REPLICATION_ROLE system role, and grant the user-extended role to any user you want to allow to synchronize the database. Grant the following object-level privileges to the user-extended role:
The advantage of this approach is that you have very fine control over the privileges granted to the user. However, the privileges granted are available to the users regardless of how they are logged in. Users are not just limited to connections made by dbmlsync and SQL Remote.
Discuter à propos de cette page dans DocCommentXchange.
|Copyright © 2013, SAP AG ou société affiliée SAP - SAP Sybase SQL Anywhere 16.0|