Neoview User Management and Security Administration Guide (R2.5)
granted. For example, if a role is granted Execute access on schema S1, users in that role can
automatically execute stored procedures on any new objects added to schema S1.
The WITH GRANT OPTION for schema level grants might be disabled on your system depending
on the settings for certain system defaults. Contact HP Support if you require changes in system
default settings.
NOTE: References and Update privileges at the schema level cannot specify individual columns.
Schema privileges apply to both DML and DDL operations:
• ALL_DDL lets the user perform any DDL operation any object in the schema.
• ALL_DML lets the user perform any DML operation on any object in the schema.
• ALL lets the user perform any operation on any object in the schema.
• ALTER lets the user modify the definition of any object in the schema.
• ALTER_TABLE lets the user drop constraints, add, populate, and drop indexes, add, alter
and drop triggers, modify file attributes, add columns, and rename tables for any table in
the schema.
• CREATE_TABLE lets the user create tables in the schema. A user who creates a table becomes
the owner of that table.
• CREATE_VIEW and CREATE MATERIALIZED VIEW lets the user create views and
materialized views, respectively, in the schema. A user who creates a view becomes the
owner of that view.
• DROP lets the user drop objects from the schema.
For syntax and detailed information about the GRANT and REVOKE commands, see the Neoview
SQL Reference Manual.
Displaying Privileges for a Database Object
The HP Database Manager (HPDM) lets you display, for a table or other database object, which
Neoview roles have been granted which privileges and by whom. For detailed information about
this feature, look up “Privileges Tab” in the HPDM online help.
Database Privileges for Neoview Roles and Special Users
Table 6-1 lists the operations available in the Neoview database and which roles or special users
can perform the operation, by default. The GRANT command, described in detail in the SQL
Reference Manual, allows the schema or object owner to grant additional privileges; for example,
although by default the services ID cannot create tables in a schema owned by the customer, the
schema owner could explicitly grant such privileges to the services ID.
In the table, Y indicates that the user has the privilege by default. N indicates that the user does
not have the privilege unless granted by the owner of the database object. Note that the super
ID and schema owner have all database privileges, but by default, the services ID has only a
subset of privileges.
An important point to remember about SQL object ownership on Neoview is that ownership and
permissions are granted to roles, not to individual users. Thus, if users Murasaki_Shikibu and
George_Eliot create schemas called MURASAKI_SHIKIBU and GEORGE_ELIOT, respectively,
while logged on in the role ROLE.ACCTREP, Murasaki has access to objects in the schema
“GEORGE_ELIOT”, and George has access to objects in the schema “MURASAKI_SHIKIBU”.
If this situation is undesirable, define a separate role for each user; for example, assign
Murasaki_Shikibu the role ROLE.ACCTRPMS and George_Eliot the role ROLE.ACCTRPGE.
The fact that privileges are assigned to roles, rather than users, has the additional implication
that if a user has multiple roles, privileges for the user's schema should be assigned to each of
the user's roles if you want the user to have access to the schema when logged on in those roles.
132 Database Security