• Data Warehouse Service

dws
  1. Help Center
  2. Data Warehouse Service
  3. Developer Guide
  4. Database Security Management
  5. User Permission Management
  6. Separation of Rights

Separation of Rights

Default Permission Model

DWS supports the separation of rights to manage user permissions. This mode is disabled by default. For details, see Separating Rights of Roles.

When the separation-of-duty mode is disabled, DWS has two types of users: system administrators and common users.

Table 1 lists the default user permissions.

Table 1 Default user permissions

Object

System Administrator

Common User

Tablespace

Can create, delete, access, or assign permissions for tablespaces.

Cannot create, delete, or assign permissions for tablespaces, and requires authorization to access tablespaces.

Table

Has all permissions for all tables.

Has all permissions for its own tables, but does not have permissions for other users' tables.

Index

Can create indexes for all tables.

Can create indexes for its own table.

Schema

Has all permissions for all schemas.

Has all permissions for its own schemas, but does not have permissions for other users' schemas.

Function

Has all permissions for all functions.

Has all permissions for its own functions, has the call permissions for other users' functions in public schema but has no permissions for other users' functions in other schemas.

View

Has all permissions for all views.

Has all permissions for its own views, but does not have permissions for other users' views.

Permission Model with Separation-of-Duty Enabled

When the separation-of-duty mode is enabled, DWS users can be divided into four types: system administrators, security administrators, audit administrators, and common users. The rights of the administrators are separated from each other. Table 2 lists their system permissions.

NOTE:

System administrator Ruby is an initial user who has all the permissions of the database. This user exists in the system by default and cannot be created again.

Table 2 Administrator permissions with the rights separation mode enabled

Administrator

Permission to Create Users

Permission to View Audit Logs

System Administrator Permission

System administrator

No

No

Yes

Security administrator

Yes

No

No

Audit administrator

No

Yes

No

In the separation of rights mode, the object permissions of each administrator are listed in Table 3.

Table 3 Object permissions with the rights separation mode enabled

Object

System Administrator

Security administrator

Audit administrator

Common User

Tablespace

Can create, delete, access, or assign permissions for tablespaces.

Cannot create, delete, or assign permissions for tablespaces, and requires authorization to access tablespaces.

Cannot create, delete, or assign permissions for tablespaces, and requires authorization to access tablespaces.

Cannot create, delete, or assign permissions for tablespaces, and requires authorization to access tablespaces.

Table

Has all permissions for its own tables, but does not have permissions for other users' tables in their own schemas.

Has all permissions for its own tables, but does not have permissions for other users' tables.

Has all permissions for its own tables, but does not have permissions for other users' tables.

Has all permissions for its own tables, but does not have permissions for other users' tables.

Index

Can create indexes for its own table.

Can create indexes for its own table.

Can create indexes for its own table.

Can create indexes for its own table.

Schema

Has all permissions for its own schemas, but does not have permissions for other users' schemas.

Has all permissions for its own schemas, but does not have permissions for other users' schemas.

Has all permissions for its own schemas, but does not have permissions for other users' schemas.

Has all permissions for its own schemas, but does not have permissions for other users' schemas.

Function

Has all permissions for its own functions, but does not have permissions for other users' functions in their schemas.

Has all permissions for its own functions, but does not have permissions for other users' functions in their schemas.

Has all permissions for its own functions, but does not have permissions for other users' functions in their schemas.

Has all permissions for its own functions, but does not have permissions for other users' functions in their schemas.

View

Has all permissions for its own views and other users' views in public mode, but does not have permissions for other users' views in schema mode.

Has all permissions for its own views, but does not have permissions for other users' views.

Has all permissions for its own views, but does not have permissions for other users' views.

Has all permissions for its own views, but does not have permissions for other users' views.