SQL Anywhere 16. We had someone retire, and I am removing his role as a dba. He feels that removing his dba role will affect any authorities he granted as dba. I'm sure that's not true, as it's not like I'm removing the dba user! But I said that I would ask. |
Change the password, and otherwise leave well enough alone :) 1
Well, better drop the password, right? That being said, it would be somewhat disappointing if the fancy and mighty v16 role-based access model would be soo complex that "never drop a user" would make the common rule of thumb...
(04 Jun '19, 10:27)
Volker Barth
Replies hidden
Point taken, Breck. I guess I need to stop trying to clean up users. And totally agree with you, Volker.
(04 Jun '19, 12:19)
rsnyder
I did ask our paid support. As I think this should work; not sure how warm and fuzzy I feel about it. Will likely go with altering password. Hi, After some testing, as long as the user is not getting deleted. It is not going to effect other database object that the user added, edited while logging in as DBA, Regards, xxxxxxx 04.06.2019 11:41:34 CST
(04 Jun '19, 13:56)
rsnyder
> Well, better drop the password, right? Either that, or make the new password strong, secret, and in the possession of someone authorized to be a DBA. Having a password avoids the extra step of adding a password should the need arise to use that id. > fancy and mighty v16 role-based access model ...a solution looking for a problem most people simply ... do ... not ... have. (most people don't read in-flight magazine articles about security :)
(05 Jun '19, 10:37)
Breck Carter
|
You are asking with the lesson learnt from that question, right?
Yes, I am! And everyone is nervous about removing anything. :-)
What exactly statement(s) are you going to run, and how was the DBA role assigned?
Note, I'm just asking for details, I won't be able to answer your question...
Grant DBA to "JDoe" is how it was assigned. and Revoke DBA from "JDoe" is how I plan to remove.
As stated, I do not know, and besides the obvious "Just test this on a copy of your database or a sample database" the following quote makes me wonder...:
From the REVOKE statement (deprecated):
In my understanding, the former "DBA authority" / new "SYS_AUTH_DBA_ROLE compatibility role" has no explicit "WITH GRANT OPTION", so the above effect may or may not apply.
Resume: I won't be able to answer your question...