Separation of Permissions

Descriptions in Default Permission Mechanism and System Administrator are about the initial situation after a cluster is created. By default, a system administrator with the SYSADMIN attribute has the highest-level permissions.

To avoid risks caused by centralized permissions, you can enable the separation of permissions to delegate system administrator permissions to security administrators and audit administrators.

After the separation of permissions is enabled, a system administrator does not have the CREATEROLE attribute (security administrator) and AUDITADMIN attribute (audit administrator). That is, you do not have the permissions for creating roles and users and the permissions for viewing and maintaining database audit logs. For details about the CREATEROLE and AUDITADMIN attributes, see CREATE ROLE.

After the separation of permissions is enabled, system administrators have the permissions only for the objects owned by them.

For details, see Separating Rights of Roles.

For details about permission changes before and after enabling the separation of permissions, see Table 1 and Table 2.

Table 1 Default user permissions

Object

System Administrator

Security Administrator

Audit Administrator

Common User

Tablespace

Can create, modify, delete, access, and allocate tablespaces.

Cannot create, modify, delete, or allocate tablespaces, with authorization required for accessing tablespaces.

Table

Has permissions for all tables.

Has permissions for its own tables, but does not have permissions for other users' tables.

Index

Can create indexes on all tables.

Can create indexes on their own tables.

Schema

Has permissions for all schemas.

Has all permissions for its own schemas, but does not have permissions for other users' schemas.

Function

Has permissions for all functions.

Has permissions for its own functions, has the call permission for other users' functions in the public schema, but does not have permissions for other users' functions in other schemas.

Customized view

Has permissions for all views.

Has permissions for its own views, but does not have permissions for other users' views.

System catalog and system view

Has permissions for querying all system catalogs and views.

Has permissions for querying only some system catalogs and views. For details, see System Catalogs and System Views.

Table 2 Changes in permissions after the separation of permissions

Object

System Administrator

Security Administrator

Audit Administrator

Common User

Tablespace

No change

No change

Table

Permissions reduced

Has all permissions for its own tables, but does not have permissions for other users' tables in their schemas.

No change

Index

Permissions reduced

Can create indexes on its own tables.

No change

Schema

Permissions reduced

Has all permissions for its own schemas, but does not have permissions for other users' schemas.

No change

Function

Permissions reduced

Has all permissions for its own functions, but does not have permissions for other users' functions in their schemas.

No change

Customized view

Permissions reduced

Has all permissions for its own views and other users' views in the public schema, but does not have permissions for other users' views in their schemas.

No change

System catalog and system view

No change

No change

No change

Has no permission for viewing any system catalogs or views.