Hello,

Is there a way to protect a procedure to not be able to be dropped
even by a user with dba authority. I am trying to secure accesses to
a database through the login_procedure option. So I have it all
working well, denying access to people when they don't need to be in
it etc.., but I have users that need dba to create users and other dba
type stuff. If one of them gets malicious I don't want them to just
drop the login procedure I wrote and effectively take out all the
security I just put in.

Is there a way to do this(fine grain a user's dba status to only what
they need dba for)?

I have a feeling that people were given dba in the past just because
it was easier than finding the right authority for what they needed,
so is there a link somewhere to what actions you definitely need to be
dba to perform? I couldn't find one browsing the documentation.

Any help or pointing in the right direction?

Thanks!

Jon wrote:
No. If you have DBA authority, you can do whatever you like to the
database.

No. Once DBA authority has been granted to a user, they pretty much
have permission to do whatever they want, including revoking DBA
privileges from all other users, resetting passwords. If you are
concerned about malicious users, they should NOT have DBA authority.

Each SQL command specifies the permissions needed to execute the
command, but there is no list that specifies which commands can ONLY be
executed by those with DBA authority.

The proper solution here is to revoke DBA privileges from every user
except the "true" DBA. You've mentioned that you "have users that need
dba to create users and other dba type stuff". I would wrap the ability
to create users in a stored procedure that was created by a user with
DBA authority, and then grant execute permissions on this stored
procedure to users that need the ability to create users. Stored
procedures execute using the privileges of the SP creator, not the user
that called them. You then need to wrap "other dba type stuff" inside
stored procedures as well.

--
Reg Domaratzki, Sybase iAnywhere Solutions
Please reply only to the newsgroup

Documentation : Exercise your WRITE @DocCommentXchange: DCX.sybase.com
SQL Anywhere Patches and EBFs : http://downloads.sybase.com/swd/base.do
-> Choose SQL Anywhere
-> Optionally set filter to "Display ALL platforms IN ALL MONTHS"

That's perfect, exactly what I need to do. I didn't put two and two
together, the login procedure is an example of the SP running under
the user it's created on I just didn't see it for the solution to the
other problems. Thanks for the quick response!

You may have a look at the trhead "User Rights" from Herman Miller from
this April. There is a short sample for a "CreateUser" stored proc.

HTH
Volker

Jon wrote: