Manualshelf

SQL/MX 3.1 Reference Manual (H06.23+, J06.12+)

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
291292293294295296297298299300
SQL/MX Statements
HP NonStop SQL/MX Release 3.1 Reference Manual663850-001
2-206
Considerations for GRANT SECURITY_ADMIN
A Guardian user number (for example, “255,255”) is not allowed. authid is not
case-sensitive.
Considerations for GRANT SECURITY_ADMIN
Authorization Requirements
If the Security Administrator's Group is empty, only the Super ID may execute the
GRANT SECURITY_ADMIN statement. Otherwise, only a Security Administrator may
execute this statement.
Security Considerations
NonStop SQL/MX translates each authorization ID you specify into a 32-bit integer
value and then stores the number in the system metadata tables. The stored
identification number, not the characters of the authorization ID, is used to identify a
Security Administrator. For this reason, care must be exercised when reusing vacated
Guardian user IDs. HP recommends utilizing a dedicated Guardian user group for
Security Administrators.
To prevent a Security Administrator from creating a user for themselves and granting
any privilege to that user, HP strongly recommends that the function of creating users
be restricted to users outside the Security Administrator's Group.
Since object owners may continue to grant privileges in the presence of Security
Administrators and owner-derived grants exist distinctly from those made by Security
Administrators, HP recommends that object ownership reside with an entity such as a
DBA who would be expected to refrain from making owner-derived grants. HP also
recommends periodic auditing of object privileges to detect and correct unauthorized
grants.
Metadata Version Requirements
The GRANT SECURITY_ADMIN statement requires system metadata version 3100 or
greater. If the statement is executed with lower versions of the system metadata, a
SQL error 25223 is generated.
Examples of GRANT SECURITY_ADMIN
The following example designates the Super ID as a Security Administrator:
GRANT SECURITY_ADMIN TO "SUPER.SUPER";
The following example designates the user, SECADMIN.USER1, as a Security
Administrator: