Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Privilege sets

The security administrator can group global privileges together to form a privilege set with a freely selectable name.

These privilege sets can be used to create authorization profiles which are precisely matched to the requirements of specific users.

A system privilege may be included in more than one privilege set. Privilege sets are stored in the user catalog, which means that different definitions can be stored in each pubset. The definitions in the home pubset apply to the current session.

This has the following advantages for security administration:

  • Privilege sets are managed centrally in the user catalog, where the following information is stored for the privilege sets:

    • their names and definitions

    • the names of the assigned privilege sets for each user.

    Since the definitions of the privilege sets and the assignments of the names to a user are independent of each other, modifying a definition makes it possible to assign or withdraw privileges to/from a large group of user IDs with a single command. The time delay which would result from withdrawing a specific privilege from or assigning a specific privilege to each individual user ID is obviated.

  • The security administrator can obtain a rapid overview of the distribution and assignment of privileges (see also section "SHOW-PRIVILEGE-SET").

Users are affected as follows by privilege sets:

  • A user can possess both privilege sets and individual privileges.

  • If a privilege set is assigned to a user, then this user can use all system privileges of the privilege set. Individual privileges and privilege sets are independent of each other. If a user ID already possesses a privilege which is also assigned in a privilege set, this individual privilege is not affected by modification of the privilege set; the user ID keeps the individual privilege until it is explicitly withdrawn.

  • If a privilege set is assigned to a user, the name of the privilege set is stored with the user ID, but the definition is not. The connection between the privileges assigned to the user with the privilege set and the definition of this privilege set is made via the name of the privilege set.

  • Privilege sets are not taken into account for the rule that each user ID must possess at least one individual privilege (see section "Rules for assigning privileges"”). This means that it is not possible for a user ID to possess a privilege set while not possessing at least one individual privilege. The reason for this is as follows: if a user ID could possess a privilege set as its only privilege, removal of all privileges from this privilege set would mean that this user ID would possess no privileges at all.

If privileges are to be assigned in groups to individual user IDs, the central maintenance and checking facilities make it advisable to assign these privileges in the form of privilege sets. Even if a privilege set contains only one privilege, the central modification facility permits the desired results to be achieved fastest. This also ensures that one user ID is not forgotten during a major reorganization, thus freeing the way for a potential security risk “via the back door”.

Powered by Atlassian Confluence and Scroll Viewport.