Help Center > > Developer Guide> Database Security Management> Managing Users and Their Permissions> Separation of Duty

Separation of Duty

Updated at: Jul 15, 2020 GMT+08:00

Descriptions in Default Permission Mechanism and System Administrator are about the initial situation after a cluster is created. By default, a system administrator with the SYSADMIN attribute has the highest-level permissions.

To avoid risks caused by centralized permissions, you can enable separation-of-duty to delegate system administrator permissions to security administrators and audit administrators.

After separation of duty is enabled, a system administrator does not have the CREATEROLE attribute (security administrator) and AUDITADMIN attribute (audit administrator). That is, you do not have the permissions to create roles and users and the permissions to view and maintain database audit logs. For details about the CREATEROLE and AUDITADMIN attributes, see CREATE ROLE.

After separation-of-duty is enabled, system administrators have the permissions only for the objects owned by them.

For details about how to enable separation-of-duty, see Separating Rights of Roles.

For details about permission changes before and after enabling separation-of-duty, see Table 1 and Table 2.

Table 1 Default user permissions

Object

System Administrator

Security Administrator

Audit Administrator

Common User

Tablespace

Can create, modify, delete, access, and allocate tablespaces.

Cannot create, modify, delete, or allocate tablespaces, with authorization required for accessing tablespaces.

Table

Has permissions for all tables.

Has permissions for its own tables, but does not have permissions for other users' tables.

Index

Can create indexes on all tables.

Can create indexes on their own tables.

Schema

Has permissions for all schemas.

Has all permissions for its own schemas, but does not have permissions for other users' schemas.

Function

Has permissions for all functions.

Has permissions for its own functions, has the call permission for other users' functions in the public schema, but does not have permissions for other users' functions in other schemas.

Customized view

Has permissions for all views.

Has permissions for its own views, but does not have permissions for other users' views.

System catalog and system view

Has permissions to query all system catalogs and views.

Has permissions to query only some system catalogs and views. For details, see System Catalogs and System Views.

Table 2 Changes in permissions after separation-of-duty

Object

System Administrator

Security Administrator

Audit Administrator

Common User

Tablespace

No change

No change

Table

Permissions reduced

Has all permissions for its own tables, but does not have permissions for other users' tables in their schemas.

No change

Index

Permissions reduced

Can create indexes on its own tables.

No change

Schema

Permissions reduced

Has all permissions for its own schemas, but does not have permissions for other users' schemas.

No change

Function

Permissions reduced

Has all permissions for its own functions, but does not have permissions for other users' functions in their schemas.

No change

Customized view

Permissions reduced

Has all permissions for its own views and other users' views in the public schema, but does not have permissions for other users' views in their schemas.

No change

System catalog and system view

No change

No change

No change

Has no permission to view any system catalogs or views.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel