Contents Index Restrictions Changing ownership on nested objects

SQL Anywhere Studio Security Guide
  Restrictions and Other Security Concerns

Security warnings


This page describes operation of Adaptive Server Anywhere in a manner equivalent to a C2-security-certified configuration. It does not provide general-purpose information on the topic.

Below are some other security issues to be aware of:

  1. Since triggers execute with the permission of the table owner, it is possible for any user with ALTER permission on a table to write a trigger that accesses other tables owned by the same user. Please be aware that by granting ALTER permission on a table to another user, you are effectively granting all permissions on all of your tables to that user.

  2. Audit records are created when a trigger is fired, and when the stored procedure executed by the trigger finishes. The user ID listed in these audit records is that of the owner of the table on which the trigger is defined.

  3. Stored procedures may contain the GRANT command. When such a procedure is executed, the GRANT is done with the permissions of the owner of the stored procedure, not those of the caller. Be aware of this when creating stored procedures containing GRANT statements.

  4. Windows NT has the ability to audit actions taken by users. It is recommended that users configure Windows NT to audit the sybase user. Note that such auditing could produce a large amount of data.

    For more information, see Operating system installation.

  5. Permissions on tables and columns are cumulative, but independent. This means that if executing two different GRANT statements gives overlapping permissions, revoking one of the two does not revoke the other.

    For example, if user fred executes GRANT UPDATE (Street) on the Employee table to sue, Sue can update the Street column of table Employee.

    If user fred subsequently executes GRANT UPDATE on the Employee table to sue, Sue is then able to update any column of the Employee table.

    If user fred then executes REVOKE UPDATE on Employee from sue, the second grant is revoked, but the first grant is still in effect. Sue still has the ability to update the Street column of table Employee.


Contents Index Restrictions Changing ownership on nested objects