ADD_GU_TRUST¶
Allows users of type GU to provide direct grants on their own objects to other users of type GU. This is called a GU trust relationship within SCURTY.
This procedure does not issue the grant statement itself. It only allows a GU the successful execution of SQL GRANT statements.
Example: GU user “GU1” was granted an object group that contains some tables. The User creates a view on one of the tables and needs to provide access to that view to another user of type GU (“GU2”). To allow GU1 to provide this privilege to GU2, both users must be added as grantor (GU1) and grantee (GU2) using this procedure. User GU1 is then able to issue the following SQL statement successfully: “GRANT SELECT ON myview TO GU2;” .
If tenant security is in place for the granted object or the underlying table, the grantee needs to be granted tenant access to see or modify any data. Otherwise, the user has access to the granted object but not to the underlying data. In the above example, the user will be able to query the view but will not see any row without access to tenants. If tenant security is not in place for the granted object or the underlying table, the user will get unrestricted access to data.
A GU trust relationship can only be provided between two users of type GU.
- A GU user may be allowed to provide three different kinds of object privileges to other GU users:
allow to grant EXECUTE privileges
allow to grant READ and SELECT privileges
allow to grant DML privileges (INSERT, UPDATE and/or DELETE)
If granted objects should be automatically added to an object group, the name of the object group may be provided in parameters p_reg_og_select (for READ or SELECT privilege grants), p_reg_og_dml (for INSERT, UPDATE or DELETE privilege grants) and/or p_reg_og_excecute (for EXECUTE privileges). Objects are added to the object group only after the next automatic or manual SCURTY refresh following a SQL GRANT statement between two users of type GU. The object group must not be protected.
The protection status is visible in table ADM_SOURCES. Automatically added objects can not be removed manually from an object group using procedure p_rep_designer.unregister_object. Use procedure p_rep_admin.change_gu_trust to remove such an object.
This procedure inserts a row into table REP_GU_TRUST.
Parameter Name |
Required |
DefaultValue |
Values |
Description |
|---|---|---|---|---|
p_grantor |
yes |
The username of a GU-user that is allowed to provide object grants. |
||
p_grantee |
yes |
The username of a GU-user that is allowed to receive object grants. |
||
p_grant_execute |
yes |
|
Should it be allowed to provide EXECUTE privileges?
If NULL is provided, the value is set to FALSE. |
|
p_grant_select |
yes |
FALSE |
|
Should it be allowed to provide READ or SELECT privileges?
If NULL is provided, the value is set to FALSE. |
p_grant_dml |
yes |
FALSE |
|
Should it be allowed to provide INSERT, UPDATE and/or DELETE privileges?
If NULL is provided, the value is set to FALSE. |
p_reg_og_select |
no |
NULL |
The name of an object group. An object is automatically added to this object group if a READ or a SELECT privilege is granted on the object using this GU trust relationship. If an object group name is provided, the group must exist and the source that created it must not be protected. The protection status is visible in table ADM_SOURCES. |
|
p_reg_og_dml |
no |
NULL |
The name of an object group. An object is automatically added to this object group if an INSERT, UPDATE or DELETE privilege is granted on the object using this GU trust relationship. If an object group name is provided, the group must exist and the source that created it must not be protected. The protection status is visible in table ADM_SOURCES. |
|
p_reg_og_execute |
no |
NULL |
The name of an object group. An object is automatically added to this object group if an EXECUTE privilege is granted on the object using this GU trust relationship. If an object group name is provided, the group must exist and the source that created it must not be protected. The protection status is visible in table ADM_SOURCES. |
Example
Allow user ‘GU1’ to provide direct grants on objects to user ‘GU2’. The privileges that may be granted are READ/SELECT (the first ‘TRUE’ in the example) and INSERT/UPDATE/DELETE (the second ‘TRUE’). Execute privileges may not be granted (‘FALSE’). If a READ or a SELECT privilege is provided, the granted object will be added to object group ‘HR’. An object is not added to an object group if INSERT, UPDATE, DELETE or EXECUTE privileges are provided (‘NULL’):
EXEC p_rep_admin.add_gu_trust ( 'GU1' , 'GU2' , FALSE , TRUE , TRUE , 'HR' , NULL , NULL );