Using discretionary access control
Discretionary access control verifies a user's privileges to perform any particular operation.
You can use following steps to define and grant privileges for a default role:
- Select an existing role in the current database to use as a default role, or create the role that you want to use as a default role. Use the CREATE ROLE rolename statement to create a new role in the current database.
- Use the GRANT statement to grant privileges to the role.
- Grant the role to a user, and set the role as the default user or PUBLIC role
by using the syntax
GRANT DEFAULT ROLE rolename TO usernameor
GRANT DEFAULT ROLE rolename TO PUBLIC.
Use the REVOKE DEFAULT ROLE statement to disassociate a default role from a user.
A user must use the SET ROLE DEFAULT statement to change any other current role to the default role.
As an administrator, you can define a default role to assign to individual users or to the PUBLIC group for a particular database. The default role is automatically applied when a user establishes a connection with the database. Each user has whatever privileges you grant to the user individually and the privileges of the default role. A user can switch from the current individual role to the default role by using the SET ROLE DEFAULT statement. If different default roles are assigned to a user and to PUBLIC, the default role of the user takes precedence. If a default role is not assigned to a user, the user only has individually granted and public privileges.
Role separation enforces separating administrative tasks by people who run and audit the database server. If INF_ROLE_SEP is not set, then user informix can perform all administrative tasks. Set the INF_ROLE_SEP environment variable to a non-zero integer value to implement role separation.
Use the DBCREATE_PERMISSION configuration parameter to give specified users permission to create databases and thus prevent other users from creating databases. If you do not set the DBCREATE_PERMISSION configuration parameter, any user can create a database. The user informix always has permission to create databases. Complete the following steps to set permission to create databases.
DBCREATE_PERMISSION informixto the onconfig file to restrict the ability to create databases to the informix user.
- Optionally include multiple instances of DBCREATE_PERMISSION in the onconfig
file to give additional users permission to create databases. For example,
to grant permission to users named watson and jay, add
DBCREATE_PERMISSION watson, jayto the onconfig file: