Thomas Stegbauer wrote: > > hi elke, > > thanx for the answer. > > Zabach, Elke schrieb: > > Thomas Stegbauer wrote: > > > > > >>hi list, > >> > >>after reading some mailinglist entries and some doc. it seems > >>roles are > >>the better usergroups > > > > > > Not quite correct, with roles and usergroups some problems can > > be overcome, but they use different ways. And roles and usergroups > > have nothing to do with each other. > > > > Roles can be thought of a named set of privileges. > > Users, (usergroups) and roles belong to the same namespace, > > must have different names. > > > > Privileges can be granted/revoked to/from roles and users, > > roles can be granted/revoked to/from roles and users. > > > > With roles it is easy to give new users all rights needed to do > > their new job (just grant the role to them) > > and to change the privileges for all users needing the same > > privileges (just grant/revoke privileges to/from the role). > > > > Roles do not include any privilege after creation. The > privileges have to be granted to the role. > > > > Many users may have the role granted, but in contrast to > usergroups were one user always belong to one > > usergroup, a user may have different roles from time to time. > > ok, to short it (one advantage of usergroups): > > new objects must get granted to roles, but this isn't needed to > usergroups, if the user are member to that group and the group has > resource right. > > > >>the rolemember can changed afterwards (what is not possible with > >>usergroups without deleting that user) > >> > >>the user can be member of more than one role (is this true) > >> > >>the rolepermission can get activated by the user later with a > >>rolepassword > >> > >>my problems and questions: > >> > >>1. where can i look, what roles exist? (why arent thy listed > >>under users > >>in sqlsto? or in the users view) > > > > > > see > > > http://www.sapdb.org/7.4/htmhelp/9c/b33d40425326439dfc0366a8dc > bf55/frameset.htm > > --> Roles > > > http://www.sapdb.org/7.4/htmhelp/4b/8eb554c5767c4a80bc8f769120 > d247/frameset.htm > > > > > >>2. where i check what members a role has? > > > > > > Roles do not have members. What do you mean? > > A role is a named set of privileges. > > ok, the question should be, where can i check to whom a role > is granted. > i took roles as special version of usergroups (what is i a > short way of > definition wrong) >
have a look at http://www.sapdb.org/7.4/htmhelp/f8/8c857053fcb74b9d44f264446e85b6/frameset.htm ROLEPRIVILEGES The system table ROLEPRIVILEGES describes the privileges and roles that are granted to roles for which the current user has privileges. Elke SAP Labs Berlin > > > > >>3. who can i add a user, usergroup or an other role to a > >>role? i didn't > >>find the appropriate doc page. > > > > > > You have to grant privileges to a role using GRANT, you can grant > > roles to roles and users > > and you have to enable roles using the SET-statement > > > http://www.sapdb.org/7.4/htmhelp/44/a17998442911d3a98200a0c944 9261/frameset.htm > which needs (depending on the role-definition) or does not need a password thanx > >>4. to elke: i was unable to find the discussion how >>permissions to all >>tables can get set by a script. have you more information for me, to >>find this. > > > What you have to do is: > > for all users in your database whose tables have to be granted > do > connect with that user > select tablename from tables > for all tablenames returned > do > grant ... on tablename to ... > get next tablename > end > commit > release the session > use next username > end thank you, this i already know, what i want :), my problem is do how. i thought already to catch this with a short shell-script. but the loadercli doesn't give the output of "select tablename from tables where owner=\"USER\"" greetings thomas >> >>p.s. if i forgot some important (dis)advantages from usergroups and >>roles or if some information are wrong, please correct me. >> -- -- # Thomas Stegbauer # http://www.keyserver.de:11371/pks/lookup?op=get&search=0xFF837A1A # Key fingerprint = E469 F5DC 42FB B530 F5CB 99CB CEB2 BFC6 FF83 7A1A _______________________________________________ sapdb.general mailing list [EMAIL PROTECTED] http://listserv.sap.com/mailman/listinfo/sapdb.general
