 |  LoginProducts  SalesSupportDownloadsAbout |
| Home » Technical Support » ElevateDB Technical Support » Product Manuals » ElevateDB Version 2 SQL Manual » Getting Started » User Security |
User SecurityElevateDB supports most of the SQL security model that is specified in the SQL 2003 standard. This includes support for users and roles (authorizations), as well as the granting and revoking of privileges on database objects. However, ElevateDB only allows users that have been granted the special system-created Administrators role to create, alter, or drop users and roles, or grant or revoke privileges for either. The SQL statements that apply to user security in ElevateDB are as follows:
CREATE USER
ALTER USER
DROP USER
RENAME USER
CREATE ROLE
ALTER ROLE
DROP ROLE
RENAME ROLE
GRANT ROLES
REVOKE ROLES
GRANT PRIVILEGES
REVOKE PRIVILEGES
Users and Roles
ElevateDB supports the creation of both users and roles, and both are considered authorizations in that they can be granted privileges on database objects. Roles can be granted to users, which allows for easier administration of the privileges for a given application and/or database by organizing the granting and revoking of privileges based upon the tasks required by a certain group of users. For example, in a point-of-sale application there would possibly be the following roles:
which would be created using the following SQL statements:
One could then grant privileges on the various database objects to these roles instead of directly to the users like this:
Finally, granting these roles to new users can be done using the GRANT ROLE statement:
Default Users and Roles
There are two system-created users and two system created roles in every ElevateDB configuration. They are as follows:
System User
The System user is created automatically for each new ElevateDB configuration, and cannot be dropped or altered. The System user is used in the following contexts:
Administrator User
The Administrator user is created automatically for each new ElevateDB configuration, and can be dropped and altered. The default password for the Administrator user is:
The default Administrator user is automatically granted the system-created Administrators role (see below).
Administrators Role
The Administrators role is created automatically for each new ElevateDB configuration, and cannot be dropped or altered. Only users that have been granted the Administrators role can execute the following statements:
CREATE USER
ALTER USER
DROP USER
RENAME USER
CREATE ROLE
ALTER ROLE
DROP ROLE
RENAME ROLE
GRANT ROLES
REVOKE ROLES
GRANT PRIVILEGES
REVOKE PRIVILEGES
CREATE DATABASE
ALTER DATABASE
DROP DATABASE
RENAME DATABASE
CREATE JOB
ALTER JOB
DROP JOB
RENAME JOB
CREATE STORE
ALTER STORE
DROP STORE
RENAME STORE
CREATE MODULE
ALTER MODULE
DROP MODULE
RENAME MODULE
CREATE MIGRATOR
ALTER MIGRATOR
DROP MIGRATOR
RENAME MIGRATOR
CREATE TEXT FILTER
ALTER TEXT FILTER
DROP TEXT FILTER
RENAME TEXT FILTER
CREATE WORD GENERATOR
ALTER WORD GENERATOR
DROP WORD GENERATOR
RENAME WORD GENERATOR
DISCONNECT SERVER SESSION
REMOVE SERVER SESSION
The one exception is the ALTER USER statement, which can also be used by the current user to change his or her password at any time.
Public Role
The Public role is created automatically for each new ElevateDB configuration, and cannot be dropped or altered. By default, all users are automatically granted the Public role, but the role can be revoked at any time as necessary.
Privileges
The GRANT PRIVILEGES and REVOKE PRIVILEGES statements can be used by any user that has been granted the Administrators role, and are used to specify the database object privileges that are available to the various users and/or roles that are defined in the configuration. The following table shows which privileges may be granted for the various database objects:
As you can see, the privileges granted on a given object usually dictate whether another object contained within the object can be accessed or altered in some way. For example, a user or role must have been granted CREATE privileges on a given table in order for that user or role to be able to use the CREATE TRIGGER statement to create a new trigger on the table.
CREATE USER
ALTER USER
DROP USER
RENAME USER
CREATE ROLE
ALTER ROLE
DROP ROLE
RENAME ROLE
GRANT ROLES
REVOKE ROLES
GRANT PRIVILEGES
REVOKE PRIVILEGES
Users and Roles
ElevateDB supports the creation of both users and roles, and both are considered authorizations in that they can be granted privileges on database objects. Roles can be granted to users, which allows for easier administration of the privileges for a given application and/or database by organizing the granting and revoking of privileges based upon the tasks required by a certain group of users. For example, in a point-of-sale application there would possibly be the following roles:
Cashiers Managers
which would be created using the following SQL statements:
CREATE ROLE Cashiers DESCRIPTION 'Store Cashiers' CREATE ROLE Managers DESCRIPTION 'Store Managers'
One could then grant privileges on the various database objects to these roles instead of directly to the users like this:
GRANT SELECT, INSERT ON Transactions TO Cashiers GRANT SELECT, INSERT, UPDATE, DELETE ON Inventory TO Managers
Finally, granting these roles to new users can be done using the GRANT ROLE statement:
CREATE USER Jenny PASSWORD '34IJT199' DESCRIPTION 'Jenny Myers' GRANT Cashiers TO Jenny
Default Users and Roles
There are two system-created users and two system created roles in every ElevateDB configuration. They are as follows:
System User
The System user is created automatically for each new ElevateDB configuration, and cannot be dropped or altered. The System user is used in the following contexts:
| Context | Description |
| Job Execution | By default, the System User is used as the current user within the actual execution context of a job. However, this can be changed on a per-job basis in order to use a different user for the execution context. |
| Routine Execution | Once ElevateDB verifies that the current user has the proper execution privileges for a function or procedure, the System User is used as the current user within the actual execution context of the function or procedure. This is to allow for the routine to access resources that the executing user may or may not have access to. |
| Triggers | Triggers always use the System user for the current user within the execution context of the trigger. This is to allow for the trigger to access resources that the executing user may or may not have access to. This is especially useful, for example, in situations where transactions cause inventory to be updated but you don't want the person entering the transactions into the transactions table to have access to the inventory table. |
| Foreign Key Constraints | Any tables referenced in a foreign key constraint are opened using the System User. This is necessary because not all users may have the proper privileges required to open up tables that have been declared the target of a foreign key constraint. |
Administrator User
The Administrator user is created automatically for each new ElevateDB configuration, and can be dropped and altered. The default password for the Administrator user is:
EDBDefault (case-sensitive)
The default Administrator user is automatically granted the system-created Administrators role (see below).
Administrators Role
The Administrators role is created automatically for each new ElevateDB configuration, and cannot be dropped or altered. Only users that have been granted the Administrators role can execute the following statements:
CREATE USER
ALTER USER
DROP USER
RENAME USER
CREATE ROLE
ALTER ROLE
DROP ROLE
RENAME ROLE
GRANT ROLES
REVOKE ROLES
GRANT PRIVILEGES
REVOKE PRIVILEGES
CREATE DATABASE
ALTER DATABASE
DROP DATABASE
RENAME DATABASE
CREATE JOB
ALTER JOB
DROP JOB
RENAME JOB
CREATE STORE
ALTER STORE
DROP STORE
RENAME STORE
CREATE MODULE
ALTER MODULE
DROP MODULE
RENAME MODULE
CREATE MIGRATOR
ALTER MIGRATOR
DROP MIGRATOR
RENAME MIGRATOR
CREATE TEXT FILTER
ALTER TEXT FILTER
DROP TEXT FILTER
RENAME TEXT FILTER
CREATE WORD GENERATOR
ALTER WORD GENERATOR
DROP WORD GENERATOR
RENAME WORD GENERATOR
DISCONNECT SERVER SESSION
REMOVE SERVER SESSION
The one exception is the ALTER USER statement, which can also be used by the current user to change his or her password at any time.Public Role
The Public role is created automatically for each new ElevateDB configuration, and cannot be dropped or altered. By default, all users are automatically granted the Public role, but the role can be revoked at any time as necessary.
Privileges
The GRANT PRIVILEGES and REVOKE PRIVILEGES statements can be used by any user that has been granted the Administrators role, and are used to specify the database object privileges that are available to the various users and/or roles that are defined in the configuration. The following table shows which privileges may be granted for the various database objects:
| Database Object | Privileges |
| DATABASE | SELECT (Determines Visibility) CREATE (Tables, Views, Functions, Procedures) ALTER (Tables, Views, Functions, Procedures) DROP (Tables, Views, Functions, Procedures) MAINTAIN (Tables) BACKUP RESTORE |
| STORE | SELECT (Determines Visibility) CREATE (Files) ALTER (Files) DROP (Files) |
| TABLE | SELECT (Determines Visibility) INSERT UPDATE DELETE CREATE (Triggers, Indexes) ALTER (Triggers, Indexes) DROP (Triggers, Indexes) |
| VIEW | SELECT (Determines Visibility) INSERT UPDATE DELETE |
| FUNCTION | EXECUTE (Determines Visibility) |
| PROCEDURE | EXECUTE (Determines Visibility) |
As you can see, the privileges granted on a given object usually dictate whether another object contained within the object can be accessed or altered in some way. For example, a user or role must have been granted CREATE privileges on a given table in order for that user or role to be able to use the CREATE TRIGGER statement to create a new trigger on the table.
More Support Options
This web page was last updated on Thursday, November 16, 2023 at 10:39 AM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ?  E-mail us at info@elevatesoft.com |
