Adaptive Server identifies users during a session by login name. This identification applies to all databases in the server. When the user creates an object, the server associates both the owner’s database user ID (uid) and the creator’s login name with the object in the sysobjects table. This information concretely identifies the object as belonging to that user, which allows the server to recognize when permissions on the object can be granted implicitly.
If an Adaptive Server user creates a table and then creates a procedure that accesses the table, any user who is granted permission to execute the procedure does not need permission to access the object directly. For example, by giving user “mary” permission on proc1, she can see the id and descr columns from table1, though she does not have explicit select permission on the table:
create table table1 (id int, amount money, descr varchar(100))
create procedure proc1 as select id, descr from table1
grant execute on proc1 to mary
There are, however, some cases where implicit permissions are only useful if the objects can be concretely identified. One case is where aliases and cross-database object access are both involved.
You cannot drop an alias if the aliased login created any objects or thresholds. Before using sp_dropalias to remove an alias that has performed these actions, remove the objects or procedures. If you still need them after dropping the alias, re-create them with a different owner.
Copyright © 2005. Sybase Inc. All rights reserved. |