User Management

User Management is introduced in SQL/MX to allow DBS operation in a cloud based environment. User Management features allow you to create and manage users and privilege groups. A user will have a Guardian username, a Guardian user id, and an optional external name, and can be a member of one or more user groups known as 'privilege groups'. Database Services use the user management features.

The main purpose of a privilege group is to act as grantee for privileges on objects and schemas. The access rights granted to a privilege group are extended to all current and future members of privilege group. Privileges granted on a table or view to a privilege group do not enable group members to create objects that depend on that table or view.

An External Username is a SQL identifier, which is a synonym for a Guardian username. It is not related to a Safeguard alias and cannot be used to log on to the NonStop system except for MXCS authentication. It is associated with only one Guardian username and vice versa.

The user management features include the abilities to:

  • Represent Guardian usernames of owners, grantors, and grantees in metadata.

  • Associate an External Username with a Guardian username, and use that name on all commands that currently accept a Guardian username.

  • Create groups of users known as privilege groups.

  • Accept a privilege group as grantee on GRANT and REVOKE commands.

Automatic User Management

User Management is categorized as:

Whenever any GRANT, GIVE, DDL, or any utility command that implicitly creates objects is executed, the object owner or grantee information is stored in the User Management metadata.

Adding a Guardian user to the system using Safeguard does not invoke SQL/MX User Management automatically. The CREATE USER command must be used to perform user management for one or more Guardian users.

Explicit User Management

Allows the database provider to add and remove an External Username to or from the Guardian user. Removing the external name from any Guardian user removes only the External Username. The Guardian user information remains in the metadata.

Privilege Group Management

Allows management of explicit privilege groups.

Statements enhanced to accept External Username

The following statements are enhanced to accept an External Username as the target owner or grantee:

  • GIVE CATALOG

  • GRANT CREATE CATALOG

  • GRANT CREATE SCHEMA

  • GIVE Object

  • GIVE SCHEMA

  • GRANT SECURITY_ADMIN

  • REVOKE CREATE CATALOG

  • REVOKE CREATE SCHEMA

  • REVOKE SECURITY_ADMIN

The following commands are added for the User Management feature:

  • CREATE USER

  • DROP USER

  • CREATE PRIVILEGE GROUP

  • ALTER PRIVILEGE GROUP

  • GIVE PRIVILEGE GROUP

  • DROP PRIVILEGE GROUP