If you are using restricted decrypt permission, you can assign the privileges for creating the task’s schema and managing keys as follows:
System Security Officer – initially sets the system encryption password
System Security Officer – configures restricted decrypt permission.
System Security Officer – creates encryption keys and grants select permission on keys to the DBO
DBO – creates the schema and loads data.
System Security Officer – grants decrypt permission to the end user
When restricted decrypt permissions is set to 1, key custodians still have implicit create encryption key permissions.
