Debugging compiled SQL PL objects overview
Debugging compiled SQL PL objects can affect database security.
Within a debug session, the debugging user can freely alter the values of local routine and global variables. With this freedom, the debugging user can change what row and column access control rules evaluate to. These changes might allow the user to access data that they are not authorized for.
To prevent variable changes that allow unauthorized access, only users who are members of the built-in role, SYSDEBUG, can debug compiled SQL PL objects. The security administrator (SECADM) is the only authority that can grant or revoke membership to SYSDEBUG. This new role is meant to be used on a test system and not on a production system.
The following guidelines should be considered when working with SYSDEBUG:
- Grant membership only to users who have a specific need to perform debugging on compiled SQL PL objects.
- Revoke membership immediately when the need for debugging is no longer required.
- Grant membership only in databases used for development or testing. Membership should not be granted within a production database environment.
- Create and enable an audit policy for the SYSDEBUG role.