forked from docs/doc-exports
Lu, Huayi
a24ca60074
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com> Co-authored-by: Lu, Huayi <luhuayi@huawei.com> Co-committed-by: Lu, Huayi <luhuayi@huawei.com>
156 lines
16 KiB
HTML
156 lines
16 KiB
HTML
<a name="EN-US_TOPIC_0000001098654800"></a><a name="EN-US_TOPIC_0000001098654800"></a>
|
|
|
|
<h1 class="topictitle1">Separation of Permissions</h1>
|
|
<div id="body8662426"><p id="EN-US_TOPIC_0000001098654800__en-us_topic_0155089861_p95493571544">Descriptions in <a href="dws_04_0054.html">Default Permission Mechanism</a> and <a href="dws_04_0055.html">System Administrator</a> are about the initial situation after a cluster is created. By default, a system administrator with the <strong id="EN-US_TOPIC_0000001098654800__b8991101745716">SYSADMIN</strong> attribute has the highest-level permissions.</p>
|
|
<p id="EN-US_TOPIC_0000001098654800__p1079615584920">To avoid risks caused by centralized permissions, you can enable the separation of permissions to delegate system administrator permissions to security administrators and audit administrators.</p>
|
|
<p id="EN-US_TOPIC_0000001098654800__ae9142f9f7e4e44c6941fd44ebf5bb07c">After the separation of permissions is enabled, a system administrator does not have the <strong id="EN-US_TOPIC_0000001098654800__b55698114215">CREATEROLE</strong> attribute (security administrator) and <strong id="EN-US_TOPIC_0000001098654800__b176613291721">AUDITADMIN</strong> attribute (audit administrator). That is, you do not have the permissions for creating roles and users and the permissions for viewing and maintaining database audit logs. For details about the <strong id="EN-US_TOPIC_0000001098654800__b23741358537">CREATEROLE</strong> and <strong id="EN-US_TOPIC_0000001098654800__b12251023419">AUDITADMIN</strong> attributes, see CREATE ROLE.</p>
|
|
<p id="EN-US_TOPIC_0000001098654800__ac3a31d30ead245b3a6212afdd01648e1">After the separation of permissions is enabled, system administrators have the permissions only for the objects owned by them.</p>
|
|
<p id="EN-US_TOPIC_0000001098654800__en-us_topic_0155089861_p8911681181">For details, see <span id="EN-US_TOPIC_0000001098654800__p95bb29a00b3e49a0b8c6f70a928bb395"><a href="https://docs.otc.t-systems.com/en-us/usermanual/dws/dws_01_0074.html" target="_blank" rel="noopener noreferrer">Separating Rights of Roles</a></span>.</p>
|
|
<p id="EN-US_TOPIC_0000001098654800__ad4edaf2313ee4688b4a73a3332ecdca3">For details about permission changes before and after enabling the separation of permissions, see <a href="#EN-US_TOPIC_0000001098654800__t377aae74ee254f66940189b3ceb10d30">Table 1</a> and <a href="#EN-US_TOPIC_0000001098654800__tb9d5b7413f2e49d2ba8a2827adf7aefb">Table 2</a>.</p>
|
|
|
|
<div class="tablenoborder"><a name="EN-US_TOPIC_0000001098654800__t377aae74ee254f66940189b3ceb10d30"></a><a name="t377aae74ee254f66940189b3ceb10d30"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001098654800__t377aae74ee254f66940189b3ceb10d30" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Default user permissions</caption><thead align="left"><tr id="EN-US_TOPIC_0000001098654800__ra4a9e194d1804f2ca38bc53fd81ad0e6"><th align="left" class="cellrowborder" valign="top" width="11.624458133698381%" id="mcps1.3.7.2.6.1.1"><p id="EN-US_TOPIC_0000001098654800__ae644fa8a39c74dfba10653d3f52fffdf">Object</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="27.298653890029662%" id="mcps1.3.7.2.6.1.2"><p id="EN-US_TOPIC_0000001098654800__a0d38fcec04c54ad0aff2e058a799c083">System Administrator</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="20.488250057038556%" id="mcps1.3.7.2.6.1.3"><p id="EN-US_TOPIC_0000001098654800__en-us_topic_0155089861_p19645171183">Security Administrator</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="20.13461099703399%" id="mcps1.3.7.2.6.1.4"><p id="EN-US_TOPIC_0000001098654800__en-us_topic_0155089861_p5645127180">Audit Administrator</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="20.454026922199404%" id="mcps1.3.7.2.6.1.5"><p id="EN-US_TOPIC_0000001098654800__ac6c067ac1f324eed99dbeac6f774deee">Common User</p>
|
|
</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr id="EN-US_TOPIC_0000001098654800__rd7421ebb5e3d4539b5ecc06cf96b79c1"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__ab59c377dfaa246dc965f03d0b138af31">Tablespace</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__a8b7b27cb9f7d421f88020e025080592e">Can create, modify, delete, access, and allocate tablespaces.</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.7.2.6.1.3 mcps1.3.7.2.6.1.4 mcps1.3.7.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__a6611e4a1799546629071312ffd2f148f">Cannot create, modify, delete, or allocate tablespaces, with authorization required for accessing tablespaces.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001098654800__rd7b9a92ccdb944f3ad164f0c94c32979"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__a2411d6780e6e4d219e5869b97f879106">Table</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__ae0071426cacf4b31944133864c758163">Has permissions for all tables.</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.7.2.6.1.3 mcps1.3.7.2.6.1.4 mcps1.3.7.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__a943e2f77d0c34468be8f4b375f189f37">Has permissions for its own tables, but does not have permissions for other users' tables.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001098654800__rd604edf2ad8c4777b4dfcda73ec8d105"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__a635b8436f6724bf8b678961e508d298b">Index</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__a6333398e9cea401fbea609ae23fcccf2">Can create indexes on all tables.</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.7.2.6.1.3 mcps1.3.7.2.6.1.4 mcps1.3.7.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__a4c5652a1b2054e67841a751dfef0b982">Can create indexes on their own tables.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001098654800__r2e24f47108534503acb43c2dc463d04d"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__ac918054419f94ec48bb683e1777f7f8f">Schema</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__a25f51af6ae4441549bdfb7ae70b134d7">Has permissions for all schemas.</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.7.2.6.1.3 mcps1.3.7.2.6.1.4 mcps1.3.7.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__af8e5211367484cdda663860647568bf5">Has all permissions for its own schemas, but does not have permissions for other users' schemas.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001098654800__r4d48f082ad8b4ca38d5978cd13fc4989"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__a6dc9185b2a964cf4bc26739c19d2f500">Function</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__afadff89c511f4e7c9e84c23557fcaa61">Has permissions for all functions.</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.7.2.6.1.3 mcps1.3.7.2.6.1.4 mcps1.3.7.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__a2b0952f406f54df0a45485cd82a19962">Has permissions for its own functions, has the call permission for other users' functions in the <strong id="EN-US_TOPIC_0000001098654800__b946447163213">public</strong> schema, but does not have permissions for other users' functions in other schemas.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001098654800__r5dbf64faa9ec44bf8c06ed1916133693"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__a2f8c64f0513e47b7879bf879e6d01909">Customized view</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__af850ef747f6a40d588aee4c9d8e5df54">Has permissions for all views.</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.7.2.6.1.3 mcps1.3.7.2.6.1.4 mcps1.3.7.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__a102d373d86564c628e883166e22282ba">Has permissions for its own views, but does not have permissions for other users' views.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001098654800__r15516b1bcdd34640af32bb80dda2c959"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__a87ab42f43cdf404a8e8c3fc515930d2e">System catalog and system view</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.7.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__a94faeb4a62ab47f38459de46476874cc">Has permissions for querying all system catalogs and views.</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.7.2.6.1.3 mcps1.3.7.2.6.1.4 mcps1.3.7.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__en-us_topic_0155089861_p1560817126">Has permissions for querying only some system catalogs and views. For details, see <a href="dws_04_0559.html">System Catalogs and System Views</a>.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<div class="tablenoborder"><a name="EN-US_TOPIC_0000001098654800__tb9d5b7413f2e49d2ba8a2827adf7aefb"></a><a name="tb9d5b7413f2e49d2ba8a2827adf7aefb"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001098654800__tb9d5b7413f2e49d2ba8a2827adf7aefb" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Changes in permissions after the separation of permissions</caption><thead align="left"><tr id="EN-US_TOPIC_0000001098654800__r0ba36be02a39401e9a16e828c9073205"><th align="left" class="cellrowborder" valign="top" width="10.551613641565575%" id="mcps1.3.8.2.6.1.1"><p id="EN-US_TOPIC_0000001098654800__ac37f2114a7654e7596beec5b35fb6ef6">Object</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="53.26161593041886%" id="mcps1.3.8.2.6.1.2"><p id="EN-US_TOPIC_0000001098654800__a1e1c0c470fc54388ad345ae06c32dc83">System Administrator</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="10.631723506523231%" id="mcps1.3.8.2.6.1.3"><p id="EN-US_TOPIC_0000001098654800__a9fbac4d96986474c8af4b5b1107a3090">Security Administrator</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="10.906385900663766%" id="mcps1.3.8.2.6.1.4"><p id="EN-US_TOPIC_0000001098654800__a1429f3b415754faca51de26dd18eed78">Audit Administrator</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="14.648661020828566%" id="mcps1.3.8.2.6.1.5"><p id="EN-US_TOPIC_0000001098654800__afce8fbd4f15f405aac0395b422c0ae7c">Common User</p>
|
|
</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr id="EN-US_TOPIC_0000001098654800__r2aa262bbaad84ba9b25b644d1664af9d"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__ad21add670b6047a4844112bf19888ddc">Tablespace</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__a263041127e234f6ebe48a5e68da183e2">No change</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.8.2.6.1.3 mcps1.3.8.2.6.1.4 mcps1.3.8.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__en-us_topic_0155089861_p215311129190">No change</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001098654800__r9c3400c7c2194282bda506a389337100"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__a2915f779172549d2b2412c8b3655ce7d">Table</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__ae17f4508c4f54039b98e0131913b2411">Permissions reduced</p>
|
|
<p id="EN-US_TOPIC_0000001098654800__a86c906bc6b534504bcacb6d0db6b119c">Has all permissions for its own tables, but does not have permissions for other users' tables in their schemas.</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.8.2.6.1.3 mcps1.3.8.2.6.1.4 mcps1.3.8.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__a97933a733689486a87d0ece915075fd9">No change</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001098654800__rceea62b467a943dab5e8a566880fdc3c"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__a398aa3789f164ae6b40fc668eb75950c">Index</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__ace3f097ba5584f96933fb08a833b9d59">Permissions reduced</p>
|
|
<p id="EN-US_TOPIC_0000001098654800__aceb0d60a995244388d0247ed662fbdf0">Can create indexes on its own tables.</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.8.2.6.1.3 mcps1.3.8.2.6.1.4 mcps1.3.8.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__a056c1867a284426aafdb55f1541aa8cb">No change</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001098654800__r0311ff690378498fae9690a180e75ce7"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__a9e1503036d0f456a89db66983970f6f0">Schema</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__a6d46a1c6b13b426a8ad8951613eca749">Permissions reduced</p>
|
|
<p id="EN-US_TOPIC_0000001098654800__a52f9169c68644a5daa351ba3bf552bd7">Has all permissions for its own schemas, but does not have permissions for other users' schemas.</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.8.2.6.1.3 mcps1.3.8.2.6.1.4 mcps1.3.8.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__en-us_topic_0155089861_p169698533193">No change</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001098654800__r97f481387f6a4439bd563003b7976762"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__a4f11ecd8c2b6423e90c692cf0d3fc106">Function</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__ab6020be49d964eb7b378795da703fcef">Permissions reduced</p>
|
|
<p id="EN-US_TOPIC_0000001098654800__a461bf1d3d0934f1985ca4147b639dd87">Has all permissions for its own functions, but does not have permissions for other users' functions in their schemas.</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.8.2.6.1.3 mcps1.3.8.2.6.1.4 mcps1.3.8.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__en-us_topic_0155089861_p740614192018">No change</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001098654800__r31d6a5456c7548b7a4e9a93696bb67cc"><td class="cellrowborder" valign="top" headers="mcps1.3.8.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__a0c296fcbc7764fad84328ce65a89a3d2">Customized view</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.8.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__en-us_topic_0155089861_p23393350179">Permissions reduced</p>
|
|
<p id="EN-US_TOPIC_0000001098654800__aa3c8b10e790d40cfa2d5d523c9664bb4">Has all permissions for its own views and other users' views in the <strong id="EN-US_TOPIC_0000001098654800__b1315141805918">public</strong> schema, but does not have permissions for other users' views in their schemas.</p>
|
|
</td>
|
|
<td class="cellrowborder" colspan="3" valign="top" headers="mcps1.3.8.2.6.1.3 mcps1.3.8.2.6.1.4 mcps1.3.8.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__afdcff5d80c244fcd827bc84399cd0fb4">No change</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001098654800__r9318436727da41ecba15a19ea95cc8ce"><td class="cellrowborder" valign="top" width="10.551613641565575%" headers="mcps1.3.8.2.6.1.1 "><p id="EN-US_TOPIC_0000001098654800__a310bcdfb7d0849c99ab20e887f916db2">System catalog and system view</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="53.26161593041886%" headers="mcps1.3.8.2.6.1.2 "><p id="EN-US_TOPIC_0000001098654800__aacbc5ab711dd46f4b02b66e6b259fbc1">No change</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="10.631723506523231%" headers="mcps1.3.8.2.6.1.3 "><p id="EN-US_TOPIC_0000001098654800__a5b86cef2ac44455fa4309e7f5f9659f4">No change</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="10.906385900663766%" headers="mcps1.3.8.2.6.1.4 "><p id="EN-US_TOPIC_0000001098654800__a1063bfc0f8324eb2b214e1e18c564e76">No change</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="14.648661020828566%" headers="mcps1.3.8.2.6.1.5 "><p id="EN-US_TOPIC_0000001098654800__a09c455cf8cad4eb6b2c948a2cf6fd12a">Has no permission for viewing any system catalogs or views.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="dws_04_0053.html">Managing Users and Their Permissions</a></div>
|
|
</div>
|
|
</div>
|
|
|