thanx for the answer.
Zabach, Elke schrieb:
Thomas Stegbauer wrote:
hi list,
after reading some mailinglist entries and some doc. it seems roles are the better usergroups
Not quite correct, with roles and usergroups some problems can be overcome, but they use different ways. And roles and usergroups have nothing to do with each other.
Roles can be thought of a named set of privileges. Users, (usergroups) and roles belong to the same namespace,
must have different names.
Privileges can be granted/revoked to/from roles and users, roles can be granted/revoked to/from roles and users.
With roles it is easy to give new users all rights needed to do their new job (just grant the role to them)
and to change the privileges for all users needing the same privileges (just grant/revoke privileges to/from the role).
Roles do not include any privilege after creation. The privileges have to be granted to the role.
Many users may have the role granted, but in contrast to usergroups were one user always belong to one usergroup, a user may have different roles from time to time.
ok, to short it (one advantage of usergroups):
new objects must get granted to roles, but this isn't needed to usergroups, if the user are member to that group and the group has resource right.
the rolemember can changed afterwards (what is not possible with usergroups without deleting that user)
the user can be member of more than one role (is this true)
the rolepermission can get activated by the user later with a rolepassword
my problems and questions:
1. where can i look, what roles exist? (why arent thy listed under users in sqlsto? or in the users view)
see http://www.sapdb.org/7.4/htmhelp/9c/b33d40425326439dfc0366a8dcbf55/frameset.htm --> Roles http://www.sapdb.org/7.4/htmhelp/4b/8eb554c5767c4a80bc8f769120d247/frameset.htm
2. where i check what members a role has?
Roles do not have members. What do you mean? A role is a named set of privileges.
ok, the question should be, where can i check to whom a role is granted.
i took roles as special version of usergroups (what is i a short way of definition wrong)
3. who can i add a user, usergroup or an other role to a role? i didn't find the appropriate doc page.
You have to grant privileges to a role using GRANT, you can grant roles to roles and users and you have to enable roles using the SET-statement http://www.sapdb.org/7.4/htmhelp/44/a17998442911d3a98200a0c9449261/frameset.htm which needs (depending on the role-definition) or does not need a password
thanx
4. to elke: i was unable to find the discussion how permissions to all tables can get set by a script. have you more information for me, to find this.
What you have to do is:
for all users in your database whose tables have to be granted do
connect with that user
select tablename from tables
for all tablenames returned do
grant ... on tablename to ...
get next tablename
end
commit release the session
use next username
end
thank you, this i already know, what i want :), my problem is do how.
i thought already to catch this with a short shell-script. but the loadercli doesn't give the output of "select tablename from tables where owner=\"USER\""
greetings thomas
p.s. if i forgot some important (dis)advantages from usergroups and roles or if some information are wrong, please correct me.
-- -- # Thomas Stegbauer # http://www.keyserver.de:11371/pks/lookup?op=get&search=0xFF837A1A # Key fingerprint = E469 F5DC 42FB B530 F5CB 99CB CEB2 BFC6 FF83 7A1A
pgp00000.pgp
Description: PGP signature
