Many (all?) sybase sites struggle with a problem causing a lot of
administration, frustration and lost time. The problem stems from the fact
that a (small) group of people (application developers, "super-users",
"dba's to be", analysts/designers) need permission to READ everything in
spesific database(s) or servervide. The select permission on tables of
course is the most important.
I guess this is solved in one of two bad ways:
By giving them far too much (like dbo or dbo alias or sa_role) causing dba
"nightmare's" or by a very great lot of "granting select table by table"
I know that the new role based authorization that came with 12.x probably
could be used to reduce the problem, but it would still take a lot of
The problem would be solved with a new DB_READER role (and possibly a
similar servervide SA_READER_ROLE). Logins with DB_READER role on db x
should have "all permissions that the DBO(alias) has on db x, EXCEPT the
permission to CHANGE anything". The new role must be type "zero
administration", example: must include all existing and new tables
Are you familiar with this problem?
Do you like the suggestion?
Date: Thu, 14 Nov 2002 07:34:00 -0500
Subject: New DB_READER and SA_READER roles?
Content-Type: text/plain; charset="us-ascii"
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:250
Article PK: 93424
X-Newsreader: trn 4.0-test75 (Feb 13, 2001)
From: firstname.lastname@example.org (Mike Harrold)
Originator: email@example.com (Mike Harrold)
Date: Fri, 15 Nov 2002 16:44:23 -0500
NNTP-Posting-Host: shell.core.com 22.214.171.124
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:245
Article PK: 93418
In article <C9D17BBD1B7A36B10045081085256C71.0045083F85256C71@webforums>,
This is interesting, but for the record this is _not_ a Sybase-specific
problem. 'Orable has the same issue. I assume other DBMS do as well.
I'm not sure the new role-based admin makes much of a difference here
as you could always have granted the select permission to public in the