In Sybase IQ 12.7, the default behavior is that only write servers can:
Modify TABLE permissions (select, insert, delete, update, references and alter) on tables owned by the write server.
Modify EXECUTE permission on stored procedures and functions owned by the write server.
Execute GRANT/REVOKE of DBA, RESOURCE, GROUP, or MEMBERSHIP.
Create a user (GRANT CONNECT TO... where the user does not exist).
Drop a user (REVOKE CONNECT FROM...).
The following objects, when created on a write server, are owned by that server and cannot be dropped or altered on a query server:
Tables
Views
Indexes
Data types
Messages
Constraints
Procedures
Functions
Comments
The following, when created, altered, or dropped on a write server, propagate to query servers:
IQ base tables, IQ global temporary tables, and indexes on either IQ base or global temporary tables
IQ referential integrity constraints and IQ check constraints
User-defined data types (domains)
Messages
Users and groups. For more information, see “Multiplex login management”.
Permissions
Views
Comments
Stored procedures and functions
The following are permitted on query servers:
CREATE, ALTER, and DELETE EVENT
Changing a user password via GRANT CONNECT TO... IDENTIFIED BY ... when the user already exists
The database options MPX_GLOBAL_TABLE_PRIV and MPX_LOCAL_SPEC_PRIV let you override the permission restrictions. For details, see “MPX_GLOBAL_TABLE_PRIV option” and “MPX_LOCAL_SPEC_PRIV option” in Sybase IQ Reference Manual.
