Idents and Privileges

This chapter discusses Mimer SQL idents, privileges and database connections.

Mimer SQL Idents

An ident is an authorization-ID used to identify different kinds of users in a Mimer SQL database.

There are three kinds of ident in Mimer SQL: USER, PROGRAM and GROUP.

Idents connect to a database through the CONNECT statement and the ENTER statement is used to take up the privileges provided by a PROGRAM ident (see below).

Every USER ident has a unique ident name and an optional private password which must be correctly supplied to the CONNECT or ENTER statement in application programs. A USER ident may access the database without explicitly providing a user name or password on condition that the user name for the user currently logged in to the operating system correspond to the definition of the USER in the Mimer SQL database.

Every PROGRAM ident has a unique ident name and a private password which must be correctly supplied to the CONNECT or ENTER statement in application programs.

USER

USER idents are authorized to connect to a Mimer SQL database by using the CONNECT statement in an application program, or by entering the correct ident name and password in an interactive environment, or by using an OS_USER login.

Any privileges a USER ident holds may be exercised once the ident has logged on. USER idents are generally associated with specific physical individuals authorized to connect to the database.

PROGRAM

PROGRAM idents provide specific privileges required when executing certain operations. PROGRAM idents may not initiate a connection to a Mimer SQL database, but may be entered from within an application program or interactive environment by using the ENTER statement.

A connection should have been established before the ENTER statement is used, see Connecting to a Database. Entering a PROGRAM ident is analogous to logging on as a USER ident, in that the PROGRAM ident gains access to the system and any privileges the ident holds become applicable.

PROGRAM idents are generally associated with specific functions within the system, not with physical individuals.

GROUP

GROUP idents are collective identities that provide common privileges for groups of users or PROGRAM idents.

Any privileges granted to or revoked from a GROUP ident automatically apply to all members of the group.

Any ident can be a member of as many groups as required, and one group can include any number of members.

GROUP idents provide a facility for organizing the privilege structure in the database system.

Database Privileges

The access of each ident to the database is defined by privileges granted within the system.

The privileges are grouped as follows:

System privileges

Object privileges

Access privileges.

System Privileges

Privilege

Explanation

BACKUP

gives the right to perform databank backup and restore operations.

DATABANK

gives the right to create databanks.

IDENT

gives the right to create idents.

SCHEMA

gives the right to create schemas.

SHADOW

gives the right to create and manage databank shadows.

STATISTICS

gives the right to execute the UPDATE STATISTICS statement.

Object Privileges

Privilege

Explanation

TABLE

gives the right to create tables in a specified databank.

SEQUENCE

gives the right to create sequences in a specified databank.

EXECUTE

gives the right to access a routine or to enter (connect to) a specified PROGRAM ident.

MEMBER

grants membership in a specified GROUP ident.

USAGE

gives the right to specify the named domain where a data type would normally be specified (in contexts where use of domains is allowed) or the right to use a specified sequence or collation.

Access Privileges

Privilege

Explanation

SELECT

gives the right to read the table contents.

INSERT

gives the right to add new rows to the table.

DELETE

gives the right to remove rows from the table.

UPDATE

gives the right to update the contents of the table.

REFERENCES

gives the right to use the primary key or unique keys of the table as a foreign key from another table.

About Privileges

System privileges are automatically granted to the system administrator at installation, and may be passed on to other idents.

Object and access privileges are initially granted only to the creator of an object. The creator may however grant the privileges on to other idents.

All privileges may be granted with or without GRANT OPTION, which controls the right of the receiving ident to grant the privilege on to another ident.

Certain operations are not controlled by explicit privileges, but may only be performed by the creator of the object involved. These operations include ALTER (with the exception of ALTER IDENT, which may be performed by either the ident himself or by the creator of the ident), DROP and COMMENT. Similarly, privileges may only be revoked by their grantor.