Separation of Duty
Descriptions in Default Permission Mechanism and System Administrator are about the initial situation after a cluster is created. By default, a system administrator with the SYSADMIN attribute has the highest-level permissions.
To avoid risks caused by centralized permissions, you can enable separation-of-duty to delegate system administrator permissions to security administrators and audit administrators.
After separation of duty is enabled, a system administrator does not have the CREATEROLE attribute (security administrator) and AUDITADMIN attribute (audit administrator). That is, you do not have the permissions to create roles and users and the permissions to view and maintain database audit logs. For details about the CREATEROLE and AUDITADMIN attributes, see CREATE ROLE.
After separation-of-duty is enabled, system administrators have the permissions only for the objects owned by them.
For details about how to enable separation-of-duty, see Separating Rights of Roles.
For details about permission changes before and after enabling separation-of-duty, see Table 1 and Table 2.
| Object | System Administrator | Security Administrator | Audit Administrator | Common User |
|---|---|---|---|---|
| Tablespace | Can create, modify, delete, access, and allocate tablespaces. | Cannot create, modify, delete, or allocate tablespaces, with authorization required for accessing tablespaces. | ||
| Table | Has permissions for all tables. | Has permissions for its own tables, but does not have permissions for other users' tables. | ||
| Index | Can create indexes on all tables. | Can create indexes on their own tables. | ||
| Schema | Has permissions for all schemas. | Has all permissions for its own schemas, but does not have permissions for other users' schemas. | ||
| Function | Has permissions for all functions. | Has permissions for its own functions, has the call permission for other users' functions in the public schema, but does not have permissions for other users' functions in other schemas. | ||
| Customized view | Has permissions for all views. | Has permissions for its own views, but does not have permissions for other users' views. | ||
| System catalog and system view | Has permissions to query all system catalogs and views. | Has permissions to query only some system catalogs and views. For details, see System Catalogs and System Views. | ||
| Object | System Administrator | Security Administrator | Audit Administrator | Common User |
|---|---|---|---|---|
| Tablespace | No change | No change | ||
| Table | Permissions reduced Has all permissions for its own tables, but does not have permissions for other users' tables in their schemas. | No change | ||
| Index | Permissions reduced Can create indexes on its own tables. | No change | ||
| Schema | Permissions reduced Has all permissions for its own schemas, but does not have permissions for other users' schemas. | No change | ||
| Function | Permissions reduced Has all permissions for its own functions, but does not have permissions for other users' functions in their schemas. | No change | ||
| Customized view | Permissions reduced Has all permissions for its own views and other users' views in the public schema, but does not have permissions for other users' views in their schemas. | No change | ||
| System catalog and system view | No change | No change | No change | Has no permission to view any system catalogs or views. |
Last Article: System Administrator
Next Article: Users
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.