![]() |
Cloudscape and Security
|
Reference Manual |
User AuthorizationCloudscape provides user authorization, which is a means of granting users permission to access a database (or system). Cloudscape allows you to distinguish between full (read-write) access and read-only access. (Cloudscape Version 3.6 does not support the SQL GRANT and REVOKE features, which allow you to set permissions to specific database objects or specific SQL actions.) Setting User AuthorizationDatabase or System AccessTypically, you configure user authorization for a particular database. However, Cloudscape also allows you to configure user authorization for the system, which is useful during development and for specifying a secure default access for all databases in the system. To control access to a particular database, set database-level properties that specify which users have full (read-write) access to the database and which users have read-only access to the database. Users not specified by either property inherit the default access for the database (none, read-only, or full read-write access). When not explicitly set, the default access for a database is full (read-write) access. Setting the Default Access ModeTo specify the default access mode for the database, use the cloudscape.database.defaultConnectionMode property. You can set the property to the following values: Cloudscape validates the authorization configuration properties when users set them. It raises an exception if a user attempts to set the properties to invalid values (see Exceptions). Setting the Access Mode for Particular UsersTo specify which particular users have full (read-write) access to a database, use the cloudscape.database.fullAccessUsers property. For example: CALL PropertyInfo.setDatabaseProperty( To specify which particular users have read-only access to a database, use the cloudscape.database.readOnlyAccessUsers property. For example: CALL PropertyInfo.setDatabaseProperty( For these properties, you specify users as a comma-separated list (no spaces between the comma and the next user). For users not specified with either property the access is specified by the cloudscape.database.defaultConnectionMode property. NOTE: It is possible to configure a database so that it cannot be changed (or even accessed) using the cloudscape.database.defaultConnectionMode property. If you set this property to noAccess or readOnlyAccess, be sure to allow at least one user full access. NOTE: Cloudscape provides a utility to make it easier to create and maintain the lists of read-only and full-access users. This utility is COM.cloudscape.database.UserUtility (aliased as UserUtility). For example, instead of having to retype the full list of cloudscape.database.fullAccessUsers when you add a full access user, you can simply use UserUtility's add method to add a user. For example: CALL UserUtility.add( See the Javadoc for the utility or Examples for more details. Notes on User AuthorizationAll the authorization properties are set for a connection when it is created. Changing any of the authorization properties does not affect existing connections. However, all future connections are affected by the change. For more information about authorization identifiers, see Users and Authorization Identifiers. ExceptionsIf a user is not authorized to connect to the database specified in the connection request, SQLException 04501 is raised. If a user with readOnlyAccess attempts to write to a database, SQLException 22502 is raised. About Read-Only and Full AccessTable 8-2 shows which actions read-only and full-access users are permitted to perform on regular or source databases and on target databases (source and target databases are part of a synchronization system). For more information about security in synchronization systems, see the Cloudscape Synchronization Guide. ExamplesThis example shows the property settings to configure a database to support:
This example shows the settings to configure a database to support:
(The example demonstrates the use of delimited identifiers for user names.)
CALL PropertyInfo.setDatabaseProperty(
CALL PropertyInfo.setDatabaseProperty(
CALL PropertyInfo.setDatabaseProperty( This example uses UserUtility to create and then modify lists of read-only and full-access users.
-- first, make the default access mode noAccess
-- then add users to the read-access user list
-- add jane
-- now add users to the full-access user list
-- add felipe
-- now change jane's permission to full-access
-- check on felipe's permissions:
-- take felipe out of all lists |
|
![]() Cloudscape Version 3.6 For information about Cloudscape technical support, go to: www.cloudscape.com/support/.Copyright © 1998, 1999, 2000 Informix Software, Inc. All rights reserved. |