The Database Server Administrator (DBSA), by default user informix, can grant the built-in EXTEND role to one or more users or to PUBLIC with the GRANT EXTEND TO user-list statement. Only users who have the EXTEND role can create or drop external UDRs that are written in the C or Java languages, both of which support shared libraries. (It is sufficient to hold the EXTEND role; it is not necessary to activate it with the SET ROLE statement for a user to be able to create and drop external UDRs.) Conversely, the REVOKE EXTEND FROM user-list statement cancels the EXTEND role of the specified users, preventing them from creating or dropping any external UDRs, as in the following example:
REVOKE EXTEND FROM 'max'
This statement prevents user max from creating or dropping external UDRs, even if max is the owner of a UDR that he subsequently attempts to drop.
In databases for which this security feature is not needed, the DBSA can disable this restriction on who can create or drop external UDRs by setting the IFX_EXTEND_ROLE configuration parameter to OFF in the ONCONFIG file. When IFX_EXTEND_ROLE is set to OFF, users with at least the Resource privilege on the database can create or drop external UDRs. See Database-Level Privileges for information about the Resource privilege.
If you revoke from user privileges or a role that you granted using the WITH GRANT OPTION keywords, you sever the chain of privileges granted by that user. Thus, when you revoke privileges from users or from a role, you also revoke the same privilege resulting from GRANT statements in the following contexts:
The following examples illustrate this situation. You, as the owner of the table items, issue the following statements to grant access privileges to user mary:
REVOKE ALL ON items FROM PUBLIC GRANT SELECT, UPDATE ON items TO mary WITH GRANT OPTION
User mary then uses her new privilege to grant users cathy and paul access to the items table:
GRANT SELECT, UPDATE ON items TO cathy GRANT SELECT ON items TO paul
Later you revoke privileges on the items table from user mary:
REVOKE SELECT, UPDATE ON items FROM mary
This single statement effectively revokes all privileges on the items table from users mary, cathy, and paul.
The CASCADE keyword has the same effect as this default condition.
Without the AS clause, the user who executes the REVOKE statement must be the grantor of the privilege that is being revoked. The DBA or the owner of the object can use the AS clause to specify another user (who must be the grantor of the privilege) as the revoker of the privileges. The AS clause provides the only mechanism by which privileges can be revoked on a database object whose owner is an authorization identifier, such as informix, that is not also a valid user account known to the operating system.
In Extended Parallel Server, the AS revoker clause is not valid in a REVOKE statement that cancels a role.
Enterprise Edition Home | Express Edition Home | [ Top of Page | Previous Page | Next Page | Contents | Index ]