cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What can a user with SET ANY SECURITY OPTION do?

Go to solution
Breck_Carter
Participant

on ‎2021 Jun 13 11:25 AM

1,195

Apparently there is no list, or even a Help topic that describes exactly what SET ANY SECURITY OPTION allows.

Oh, no, wait, there's this: SET ANY SECURITY OPTION Allows a user to set any PUBLIC security database options.

...well, that was useful ...not ...there is no such thing as "security database option" according to a search of the Help.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Breck_Carter
Participant
‎2021 Jun 13 11:34 AM

A Hallmark of the security model: So complex only hackers understand it 🙂

Accepted Solutions (1)

Accepted Solutions (1)

VolkerBarth
Contributor
‎2021 Jun 14 11:40 AM

In particular: I want to give a user the ability to "SET OPTION PUBLIC.database_authentication", and I want to know what the implications are.

If that is the only option required, wouldn't a separate wrapper procedure do the trick?

Show replies
Show replies
Breck_Carter
Participant
‎2021 Jun 14 3:40 PM

> wouldn't a separate wrapper procedure do the trick?

Yes, indeed, that is the best answer... I am forever grateful for the CREATE PROCEDURE ... SQL SECURITY DEFINER clause.

Every few years I have to check "Is that really the default?" and then I re-discover The Watcom Rule... yes, that is the way it should be done, so yes, that is the way SQL Anywhere does it 🙂

Answers (2)

Answers (2)

VolkerBarth
Contributor
‎2021 Jun 14 4:00 AM
0 Kudos

Hm, apparently the PUBLIC database options are separated in

  • PUBLIC security database options (requiring SET ANY SECURITY OPTION system privilege),
  • PUBLIC system database options (requiring SET ANY SYSTEM OPTION system privilege),
  • PUBLIC user-defined database options (requiring SET ANY USER DEFINED OPTION system privilege)
  • and all other PUBLIC database options (requiring SET ANY PUBLIC OPTION system privilege).

The required system privilege seems to be documented for the according option. IMHO, this seems adequate... (And practically, SYS_AUTH_DBA_ROLE comprises all those privileges...:) )

Show replies
Show replies
Breck_Carter
Participant
‎2021 Jun 14 8:22 AM
0 Kudos

You answered a different question: "What privileges are required to do [some individual action]?"

You pointed out that the documentation for [each individual action] clearly specifies the privilege(s) required.

That's not what I asked.

I asked the question "What [list of actions] require the SET ANY SECURITY OPTION system privilege?"

Putting it another way: "What [list of actions] will the user SUDDENLY be able to perform if I grant the SET ANY SECURITY OPTION privilege?"

In particular: I want to give a user the ability to "SET OPTION PUBLIC.database_authentication", and I want to know what the implications are.

These "grouping" privileges like SET ANY SECURITY OPTION are poorly designed... they are too broad, and the lack of thorough documentation makes them a security risk ...folks will GRANT powerful privileges just get through the day, without understanding the implications.

You mentioned SYS_AUTH_DBA_ROLE... that's exactly my point... I do NOT want to grant too much 🙂

VolkerBarth
Contributor
‎2021 Jun 14 11:35 AM

That's not what I asked.

I asked the question "What [list of actions] require the SET ANY SECURITY OPTION system privilege?"

Yes, I'm aware, and obviously the docs do not contain a separate list of those options (or an explanation, what exactly would an option qualify as security option vs. system option).

As you already stated, searching for the according privilege in the help (only) lists the according individual option pages - so you got your list, I'd think...

I just wanted to note that these four option categories seem to be disjunct, so your search result should at least be non-overlapping with other option privileges. Otherwise, your search result would list options that might as well be allowed for a different option privilege.

Breck_Carter
Participant
‎2021 Jun 14 3:39 PM
0 Kudos

> you got your list, I'd think

Yeah, but it took me tooooo long to think of that.

And with your other answer, I don't have to... I can go back to not thinking about the "role model" at all 🙂

VolkerBarth
Contributor
‎2021 Jun 14 4:43 PM
0 Kudos

That's what I generally do with the "role model", as well 🙂

Breck_Carter
Participant
‎2021 Jun 13 11:29 AM
0 Kudos

A crude search-by-example yields a list of topics: "with SET ANY SECURITY OPTION"

allow_read_client_file Option
Product: SAP SQL Anywhere
Yes, with SET ANY SECURITY OPTION Yes, with SET ANY SECURITY OPTION Yes, with SET ANY SECURITY OPTION ... Yes, with SET ANY SECURITY OPTION Yes (current connection only), with SET ANY SECURITY OPTION No ...
Guide: SQL Anywhere Database Administration
Last updated: December 10, 2020

allow_write_client_file Option
Product: SAP SQL Anywhere
Yes, with SET ANY SECURITY OPTION Yes, with SET ANY SECURITY OPTION Yes, with SET ANY SECURITY OPTION ... Yes, with SET ANY SECURITY OPTION Yes (current connection only), with SET ANY SECURITY OPTION No ...
Guide: SQL Anywhere Database Administration
Last updated: December 10, 2020

...and so on
Show replies
Show replies
Ask a Question