User's Guide
PART 4. Database Administration and Advanced Use
CHAPTER 22. Keeping Your Data Secure
Users can access only those objects to which they have been granted access.
Granting permission on an object to another user is done using the GRANT statement. It is also possible to grant a user a grant option to an object, which allows that user to pass on the permissions to other users.
The GRANT statement is also used to give more general permissions to users. Granting CONNECT permissions to a user is used to create users and to change their passwords. Granting RESOURCE to a user is required for the user to create tables, views, procedures, etc. Granting DBA to a user gives that user the ability to see and do anything in the database. The DBA would also use the GRANT statement to create and administer groups.
The REVOKE statement is the opposite of the GRANT statement—any permission that GRANT has explicitly given, REVOKE can take away. Revoking CONNECT from a user will remove the user from the database, including all objects owned by that user.
Adaptive Server Anywhere does not support negative permissions. This means that you cannot revoke a permission that was not explicitly granted.
For example, suppose user bob is a member of a group called sales. If a user grants DELETE permission on a table T to sales, then bob can delete rows from T. If you want to prevent bob from deleting from T, you cannot simply execute a REVOKE DELETE on T from bob, since the DELETE ON T permission was never granted directly to bob. In this case, you would have to revoke bob's membership in the sales group.
For more information see:
Designing database objects for securityViews and stored procedures provide alternative ways of tuning the data users can access and the tasks they can perform.
For more information on these features, see: