Sat, 16 Sep 2023 08:51:39 +0200, /fed/:
My doubt is that, if I am not wrong, every user that can connect to the
network server can create a new database and so indirectly a new
directory in the same places where the user that runs the network server
have write permissions.
I would prefer to create the database not directly on the network server
but with the embedded driver and then later make it available on the
network server.
Maybe it is possible to limit this behaviour via the security manager
but I don't think this can change a lot of the behaviour.
Is it possible to disable/prevent/limit this?
That's an interesting question I'm also curios about.
I've found the following documentation references that could be explored
while waiting for more knowledgeable respondents to chime in:
* Configuring user authorization (Derby Security Guide)
<https://db.apache.org/derby/docs/10.16/security/csecauthorization.html>
* Configuring fine-grained user authorization
<https://db.apache.org/derby/docs/10.16/security/csecauthorfine.html>
If you are using LDAP authentication, then you will need to enable
fine-grained authorization by setting the derby.database.sqlAuthorization
property to true.
If you use NATIVE authentication, there is no need to set the
derby.database.sqlAuthorization property. NATIVE authentication
automatically enables fine-grained authorization.
"SQL standard authorization":
* derby.database.sqlAuthorization (Derby Reference Manual)
<https://db.apache.org/derby/docs/10.16/ref/rrefpropersqlauth.html>
I couldn't find specific privileges about creating a database – have you
tried if enabling "SQL standard authorization" (if not already?)
disables this for remote access and/or non-admin users?
--
Stanimir
