cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Removing DBA authority

former_SQLA_member1694892
Participant

on ‎2019 Jun 04 8:09 AM

1,357

SQL Anywhere 16. We had someone retire, and I am removing his role as a dba. He feels that removing his dba role will affect any authorities he granted as dba. I'm sure that's not true, as it's not like I'm removing the dba user! But I said that I would ask.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
VolkerBarth
Contributor
‎2019 Jun 04 8:43 AM
0 Kudos

You are asking with the lesson learnt from that question, right?

former_SQLA_member1694892
Participant
‎2019 Jun 04 8:45 AM
0 Kudos

Yes, I am! And everyone is nervous about removing anything. 🙂

VolkerBarth
Contributor
‎2019 Jun 04 8:47 AM
0 Kudos

What exactly statement(s) are you going to run, and how was the DBA role assigned?

Note, I'm just asking for details, I won't be able to answer your question...

former_SQLA_member1694892
Participant
‎2019 Jun 04 8:59 AM
0 Kudos

Grant DBA to "JDoe" is how it was assigned. and Revoke DBA from "JDoe" is how I plan to remove.

VolkerBarth
Contributor
‎2019 Jun 04 9:30 AM
0 Kudos

As stated, I do not know, and besides the obvious "Just test this on a copy of your database or a sample database" the following quote makes me wonder...:

From the REVOKE statement (deprecated):

If you revoke a privilege for a user and they also had WITH GRANT OPTION for that privilege, then everyone who that user granted the privilege to also has their privilege revoked. For example, suppose you granted UserA SELECT...WITH GRANT OPTION privileges on a table and UserA then grants the SELECT privilege on the table to UserB. If you revoke the SELECT privilege from UserA, it is revoked from UserB as well.

In my understanding, the former "DBA authority" / new "SYS_AUTH_DBA_ROLE compatibility role" has no explicit "WITH GRANT OPTION", so the above effect may or may not apply.

Resume: I won't be able to answer your question...

Accepted Solutions (0)

Answers (1)

Answers (1)

Breck_Carter
Participant
‎2019 Jun 04 11:18 AM

Change the password, and otherwise leave well enough alone 🙂

Show replies
Show replies
VolkerBarth
Contributor
‎2019 Jun 04 11:27 AM

Well, better drop the password, right?

That being said, it would be somewhat disappointing if the fancy and mighty v16 role-based access model would be soo complex that "never drop a user" would make the common rule of thumb...

former_SQLA_member1694892
Participant
‎2019 Jun 04 1:19 PM
0 Kudos

Point taken, Breck. I guess I need to stop trying to clean up users. And totally agree with you, Volker.

former_SQLA_member1694892
Participant
‎2019 Jun 04 2:56 PM
0 Kudos

I did ask our paid support. As I think this should work; not sure how warm and fuzzy I feel about it. Will likely go with altering password.

Hi,

After some testing, as long as the user is not getting deleted. It is not going to effect other database object that the user added, edited while logging in as DBA,

Regards,

xxxxxxx

04.06.2019 11:41:34 CST

Breck_Carter
Participant
‎2019 Jun 05 11:37 AM
0 Kudos

> Well, better drop the password, right?

Either that, or make the new password strong, secret, and in the possession of someone authorized to be a DBA. Having a password avoids the extra step of adding a password should the need arise to use that id.

> fancy and mighty v16 role-based access model

...a solution looking for a problem most people simply ... do ... not ... have.

(most people don't read in-flight magazine articles about security 🙂

Ask a Question