SQL Anywhere Studio Security Guide
Keeping Your Data Secure
Controlling database access
Users can access only those objects to which they have been granted access.
You grant permission on an object to another user with the GRANT statement. You can also grant a user permission to pass on the permissions on an object to other users.
The GRANT statement also gives more general permissions to users. Granting CONNECT permissions to a user allows them to connect to the database and change their passwords. Granting RESOURCE authority allows the user to create tables, views, procedures, and so on. Granting DBA authority to a user gives that user the ability to see and do anything in the database. The DBA would also use the GRANT statement to create and administer groups.
The REVOKE statement is the opposite of the GRANT statement—any permission that GRANT has explicitly given, REVOKE can take away. Revoking CONNECT from a user removes the user from the database, including all objects owned by that user.
Adaptive Server Anywhere does not support negative permissions. This means that you cannot revoke a permission that was not explicitly granted.
For example, suppose user bob is a member of a group called sales. If a user grants DELETE permission on a table, T, to sales, then bob can delete rows from T. If you want to prevent bob from deleting from T, you cannot simply execute a REVOKE DELETE on T from bob, since the DELETE ON T permission was never granted directly to bob. In this case, you would have to revoke bob's membership in the sales group.
For more information, see: