Proxy authorization

Adaptive Server provides the proxy authorization capability, which allows one user to assume the identity of another user on a server-wide basis. A System Security Officer can grant the ability to assume the security context of another user to selected logins. If a login has permission to use proxy authorization, the login can impersonate any other login in Adaptive Server.

WARNING! The ability to assume another user’s identity is extremely powerful and must be strictly limited. A user with this permission could assume the identity of the “sa” login, which would give the user unlimited power within Adaptive Server. Plan to limit this permission to trusted administrators and applications, and to audit their server activity.

A System Security Officer or a System Administrator might want to assume the permissions of another user to make sure the permissions are correct for a user or to perform maintenance on a user’s database objects.

An application server can use proxy authorization to login to Adaptive Server with a generic login, which the application server uses to execute procedures and commands for several users.

A System Security Officer uses the grant set proxy or grant set session authorization command to give a user permission to use proxy authorization. The user with this permission can then execute either set proxy or set session authorization to become another user. A user executing set proxy or set session authorization operates with both the login and server user ID of the user being impersonated. The login and server user ID are active across the entire server in all databases.

Noteset proxy and set session authorization are identical in function and can be used interchangeably. The only difference between them is that set session authorization is SQL92 compatible, and set proxy is a Transact-SQL extension.

For more information about proxy authorization, see the Security Administration Guide.