Neoview User Management and Security Administration Guide (R2.5)

ManualsBrandsHP ManualsSoftwareHP Neoview Release 2.5 Software

131

132

133

134

135

136

137

138

139

140

6 Database Security

The Neoview platform extends ANSI-compliant database security features to enhance security

and simplify administration tasks.

Before performing the tasks described in this chapter, you or some other user must already have

completed the post-installation setup, LDAP server integration if applicable, and user and role

management tasks listed in the “Security Administration Task Map” (page 29) .

DBAs should also have created various database schemas and objects, using SQL statements

described in the Neoview SQL Reference Manual.

Database Views

The Neoview database supports SQL views, which allow you to control access to table data by

different sets of users. For example, to give different users access to different subsets of the data,

you can define a separate view for each subset and give the different users access to different

views.

Grant/Revoke Access to Database Objects

A database administrator or schema owner uses the Neoview SQL GRANT and REVOKE

commands to assign or rescind database access privileges, for example:

Delete

The ability to remove data from a database table or view.

Insert

The ability to add data to a database table or view.

References

The ability to refer to data in a database table or view by using keys from another table.

Select

The ability to retrieve data from a database table or view.

Update

The ability to modify data in a database table or view. (This privilege can apply to all or a

subset of database columns.)

Execute

The ability to execute stored procedures in Java using invoker privileges. (The holder of this

privilege must have appropriate privileges with respect to objects accessed by the stored

procedure.)

The owner of a schema can grant or revoke privileges pertaining to individual objects or to all

objects within the schema. The schema owner can also grant another role the right to grant or

revoke privileges pertaining to objects in the schema. However, a user can revoke only a privilege

granted by the same role; for example, a user in the role ROLE.PAYROLL can revoke a privilege

granted by another user in the role ROLE.PAYROLL but not a privilege granted by a user in the

role ROLE.DBA. If a user other than the schema owner creates a new object in the schema, only

that user or the schema owner has access to that object.

Privileges are granted to or revoked from a role, not an individual user; thus, granting a privilege

confers that privilege on all users who have the role. Granting a privilege to PUBLIC means that

any user assigned to any current or future role has the privilege.

“Schema privileges” grant a privilege for all objects in the specified schema and are typically

used to distribute the tasks of managing a large application. Schema privileges apply not only

to existing objects but also to any new objects created in the schema after the privilege was

Database Views 131