Separation of Permissions¶
By default, the system administrator with the SYSADMIN attribute has the highest permission in the system. To avoid risks caused by centralized permissions, you can enable the separation of permissions to delegate system administrator permissions to security administrators and audit administrators.
After the separation of permissions is enabled, a system administrator does not have the CREATEROLE attribute (security administrator) and AUDITADMIN attribute (audit administrator). That is, you do not have the permissions for creating roles and users and the permissions for viewing and maintaining database audit logs. For details about the CREATEROLE and AUDITADMIN attributes, see CREATE ROLE.
After the separation of permissions is enabled, system administrators have the permissions only for the objects owned by them.
For details about how to configure separation of permissions, see "Managing a Cluster > Cluster Security Configuration > Configuring Separation of Permissions" in the Data Warehouse Service (DWS) User Guide.
For details about permission changes before and after enabling the separation of permissions, see Table 1 and Table 2.
Object | System Administrator | Security Administrator | Audit Administrator | Common User |
---|---|---|---|---|
Tablespace | Can create, modify, delete, access, and allocate tablespaces. | Cannot create, modify, delete, or allocate tablespaces, with authorization required for accessing tablespaces. | ||
Table | Has permissions for all tables. | Has permissions for its own tables, but does not have permissions for other users' tables. | ||
Index | Can create indexes on all tables. | Can create indexes on their own tables. | ||
Schema | Has permissions for all schemas. | Has all permissions for its own schemas, but does not have permissions for other users' schemas. | ||
Function | Has permissions for all functions. | Has permissions for its own functions, has the call permission for other users' functions in the public schema, but does not have permissions for other users' functions in other schemas. | ||
Customized view | Has permissions for all views. | Has permissions for its own views, but does not have permissions for other users' views. | ||
System catalog and system view | Has permissions for querying all system catalogs and views. | Has permissions for querying only some system catalogs and views. For details, see System Catalogs and System Views. |
Object | System Administrator | Security Administrator | Audit Administrator | Common User |
---|---|---|---|---|
Tablespace | No change | No change | ||
Table | Permissions reduced Has all permissions for its own tables, but does not have permissions for other users' tables in their schemas. | No change | ||
Index | Permissions reduced Can create indexes on its own tables. | No change | ||
Schema | Permissions reduced Has all permissions for its own schemas, but does not have permissions for other users' schemas. | No change | ||
Function | Permissions reduced Has all permissions for its own functions, but does not have permissions for other users' functions in their schemas. | No change | ||
Customized view | Permissions reduced Has all permissions for its own views and other users' views in the public schema, but does not have permissions for other users' views in their schemas. | No change | ||
System catalog and system view | No change | No change | No change | Has no permission for viewing any system catalogs or views. |