Cloudscape and Security
Page 4 of 10

Users and Authorization Identifiers

User names within the Cloudscape system are known as authorization identifiers. The authorization identifier is a string that represents the name of the user, if one was provided in the connection request. For example, the built-in function CURRENT_USER returns the authorization identifier for the current user.

Once the authorization identifier is passed to the Cloudscape system, it becomes an SQL92Identifier. SQL92Identifiers--the kind of identifiers that represent database objects such as tables and columns--are case-insensitive (they are converted to all caps) unless delimited with double quotes, are limited to 128 characters, and have other limitations.

User names must be valid authorization identifiers even if user authentication is turned off, and even if all users are allowed access to all databases.

For more information about SQL92Identifiers, see SQL92Identifier of the Cloudscape Reference Manual.

Authorization Identifiers, User Authentication, and User Authorization

When working with both user authentication and user authorization, you need to understand how user names are treated by each system. If an external authentication system is used, the conversion of the user's name to an authorization identifier does not happen until after authentication has occurred but before user authorization (see User Authorization). Imagine, for example, a user named Fred.

  • Within the user authentication system, Fred is known as FRed. Your external user authorization service is case-sensitive, so Fred must always type his name that way.

    Connection conn = DriverManager.getConnection(
        "jdbc:cloudscape:myDB", "FRed", "flintstone");

  • Within the Cloudscape user authorization system, Fred becomes a case-insensitive authorization identifier. Fred is known as FRED.
  • When specifying which users are authorized to access the accounting database, you must list Fred's authorization identifier, FRED (which you can type as FRED, FREd, or fred, since the system automatically converts it to all-uppercase).

cloudscape.fullAccessUsers=sa,FRED,mary

Let's take a second example, where Fred has a slightly different name within the user authentication system.

As shown in the first example, your external authentication system may be case-sensitive, whereas the authorization identifier within Cloudscape may not be. If your authentication system allows two distinct users whose names differ by case, delimit all user names within the connection request to make all user names case-sensitive within the Cloudscape system. In addition, you must also delimit user names that do not conform to SQL92Identifier rules with double quotes.

User Names and Schemas

User names can affect a user's default schema. For information about user names and schemas, see SET SCHEMA statement in the Cloudscape Reference Manual.

Exceptions

Specifying an invalid authorization identifier in a database user authorization property raises an exception. Specifying an invalid authorization identifier in a connection request raises an exception.