Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

PROBLEM WITH A GROUP

3 posts in General Discussion Last posting was on 2008-07-25 20:14:32.0Z
Alexis Garcia Posted on 2008-07-24 16:21:12.0Z
Sender: 8f6.4888aa2c.1804289383@sybase.com
From: ALEXIS GARCIA
Newsgroups: ianywhere.public.general
Subject: PROBLEM WITH A GROUP
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4888abf8.935.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 24 Jul 2008 09:21:12 -0700
X-Trace: forums-1-dub 1216916472 10.22.241.41 (24 Jul 2008 09:21:12 -0700)
X-Original-Trace: 24 Jul 2008 09:21:12 -0700, 10.22.241.41
Lines: 13
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.general:6983
Article PK: 5208

Good day.

I have a problem, I assign a user to a group within the
database connected to a user who does not have privileges
DBA, is that possible?

That is my alternative to a user without role of DBA users
can assign a group?.

Thank you.

pd. I write from Latin America, I am using google
translator, apologize for any errors of translation.


Chris Keating (Sybase iAnywhere) Posted on 2008-07-24 18:54:19.0Z
From: "Chris Keating (Sybase iAnywhere)" <keating_spam_free@ianywhere.com>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
Newsgroups: ianywhere.public.general
Subject: Re: PROBLEM WITH A GROUP
References: <4888abf8.935.1681692777@sybase.com>
In-Reply-To: <4888abf8.935.1681692777@sybase.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4888cfdb$1@forums-1-dub>
Date: 24 Jul 2008 11:54:19 -0700
X-Trace: forums-1-dub 1216925659 10.22.241.152 (24 Jul 2008 11:54:19 -0700)
X-Original-Trace: 24 Jul 2008 11:54:19 -0700, vip152.sybase.com
Lines: 98
X-Authenticated-User: techsupp
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.general:6984
Article PK: 5209

If I understand you question...

it is not possible directly. However, you could create a procedure owned
by a group or user with DBA authority that implements the tasks. Any
user granted permission to execute the procedure could then perform that
actions defined in that procedure but would not require any DBA rights
-- the procedure will run with the authority of the procedure owner. You
would simply need to decide how to grant execute on the procedure to the
user. In the example below, the procedure is owned by a group, the group
was given execute permission on the procedure, and the user was granted
membership into the group.

-- **********************************************
-- Do the following as an user with DBA authority
-- **********************************************

-- create group membership admin group
GRANT CONNECT TO "GroupMembershipAdmin";
GRANT GROUP TO "GroupMembershipAdmin";
GRANT DBA TO "GroupMembershipAdmin";

-- Adds user to a group
CREATE PROCEDURE
"GroupMembershipAdmin"."GrantGroupMembership"
(in groupName char(128),in userId char(128))
begin
declare grantStmt long varchar;
set grantStmt =
string( 'GRANT MEMBERSHIP IN GROUP ',
groupName, ' to ', userId );
execute immediate grantStmt;
end;

-- grant permission to the owner to execute the procedure
-- this allows members of the group GroupMembershipAdmin
-- to execute the procedure. Otherwise, you need to
-- explicitly grant the permission to the user
GRANT EXECUTE ON
"GroupMembershipAdmin"."GrantGroupMembership"
TO "GroupMembershipAdmin";

-- create user and make them a member of
-- GroupMemberShipAdmin. This user will be
-- able to execute GrantGroupMembership()
-- to do a task normally limited to an user
-- with DBA authority.
grant connect to u identified by u;
call GroupMembershipAdmin.GrantGroupMembership
('GroupMemberShipAdmin', 'u');


-- create another user
grant connect to u1 identified by u1;


Now when you log in as user 'u', you can grant group membership with
this call:

call GroupMembershipAdmin.GrantGroupMembership
('GroupMemberShipAdmin', 'u1');


You can use the same technique to allow non-dba users to perform any
task requiring DBA authority. For example, the procedure could be
written to create an user and add them to appropriate groups.


--

Chris Keating

****************************************
Please only post to the newsgroup

SQL Anywhere Developer Community
http://www.sybase.com/developer/library/sql-anywhere-techcorner
SQL Anywhere Blog Center
http://www.sybase.com/sqlanyblogs
Maintenance releases and EBFs
http://downloads.sybase.com/swx/sdmain.stm
Use Case Express to report bugs
http://case-express.sybase.com

ALEXIS GARCIA wrote:
> Good day.
>
> I have a problem, I assign a user to a group within the
> database connected to a user who does not have privileges
> DBA, is that possible?
>
> That is my alternative to a user without role of DBA users
> can assign a group?.
>
> Thank you.
>
> pd. I write from Latin America, I am using google
> translator, apologize for any errors of translation.


Alexis Garcia Posted on 2008-07-25 20:14:32.0Z
Sender: 8f6.4888aa2c.1804289383@sybase.com
From: Alexis Garcia
Newsgroups: ianywhere.public.general
Subject: Re: PROBLEM WITH A GROUP
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <488a3428.414c.1681692777@sybase.com>
References: <4888cfdb$1@forums-1-dub>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 25 Jul 2008 13:14:32 -0700
X-Trace: forums-1-dub 1217016872 10.22.241.41 (25 Jul 2008 13:14:32 -0700)
X-Original-Trace: 25 Jul 2008 13:14:32 -0700, 10.22.241.41
Lines: 112
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.general:6985
Article PK: 5210

Thanks Chris,

I will follow your recommendations.

Greetings.

> If I understand you question...
>
> it is not possible directly. However, you could create a
> procedure owned by a group or user with DBA authority
> that implements the tasks. Any user granted permission to
> execute the procedure could then perform that actions
> defined in that procedure but would not require any DBA
> rights -- the procedure will run with the authority of
> the procedure owner. You would simply need to decide how
> to grant execute on the procedure to the user. In the
> example below, the procedure is owned by a group, the
> group was given execute permission on the procedure, and
> the user was granted membership into the group.
>
> -- **********************************************
> -- Do the following as an user with DBA authority
> -- **********************************************
>
> -- create group membership admin group
> GRANT CONNECT TO "GroupMembershipAdmin";
> GRANT GROUP TO "GroupMembershipAdmin";
> GRANT DBA TO "GroupMembershipAdmin";
>
> -- Adds user to a group
> CREATE PROCEDURE
> "GroupMembershipAdmin"."GrantGroupMembership"
> (in groupName char(128),in userId char(128))
> begin
> declare grantStmt long varchar;
> set grantStmt =
> string( 'GRANT MEMBERSHIP IN GROUP ',
> groupName, ' to ', userId );
> execute immediate grantStmt;
> end;
>
> -- grant permission to the owner to execute the procedure
> -- this allows members of the group GroupMembershipAdmin
> -- to execute the procedure. Otherwise, you need to
> -- explicitly grant the permission to the user
> GRANT EXECUTE ON
> "GroupMembershipAdmin"."GrantGroupMembership"
> TO "GroupMembershipAdmin";
>
> -- create user and make them a member of
> -- GroupMemberShipAdmin. This user will be
> -- able to execute GrantGroupMembership()
> -- to do a task normally limited to an user
> -- with DBA authority.
> grant connect to u identified by u;
> call GroupMembershipAdmin.GrantGroupMembership
> ('GroupMemberShipAdmin', 'u');
>
>
> -- create another user
> grant connect to u1 identified by u1;
>
>
> Now when you log in as user 'u', you can grant group
> membership with this call:
>
> call GroupMembershipAdmin.GrantGroupMembership
> ('GroupMemberShipAdmin', 'u1');
>
>
> You can use the same technique to allow non-dba users to
> perform any task requiring DBA authority. For example,
> the procedure could be written to create an user and add
> them to appropriate groups.
>
>
> --
>
> Chris Keating
>
> ****************************************
> Please only post to the newsgroup
>
> SQL Anywhere Developer Community
>
>
http://www.sybase.com/developer/library/sql-anywhere-techcorner
> SQL Anywhere Blog Center
> http://www.sybase.com/sqlanyblogs
> Maintenance releases and EBFs
> http://downloads.sybase.com/swx/sdmain.stm
> Use Case Express to report bugs
> http://case-express.sybase.com
>
>
> ALEXIS GARCIA wrote:
> > Good day.
> >
> > I have a problem, I assign a user to a group within the
> > database connected to a user who does not have
> > privileges DBA, is that possible?
> >
> > That is my alternative to a user without role of DBA
> > users can assign a group?.
> >
> > Thank you.
> >
> > pd. I write from Latin America, I am using google
> > translator, apologize for any errors of translation.