frank.schimmelpfennig wrote: > here is question for better understanding of the SAP DB user concept: > > Is it better to use database roles or SAP DB user groups for administering of diverse database privileges?
Yes and no, it depends what you need. Let me describe: USERGROUP - a user can be a stand-alone-user (not member of any usergroup) or member of exactly one usergroup - objects (tables, views, ...) created by a user who is member of the usergroup will belong to the usergroup (owner=usergroupname). Therefore no granting of privileges is necessary for all other members of the usergroup - privileges can only be granted to the whole usergroup, not to one member out of it. - a user added to the usergroup will receive every privilege of this group ROLES - a user or usergroup may have more than one role currently used. - objects created by a user outside a usergroup belong to him, not to the role (nice, if some test-tables or private-address-tables exist) - for every object, privileges have to be granted to the role - to a new user the role has to be granted/set to default role. It is as easy as adding a new user to a usergroup. Conclusion: If you are sure that at now and even in the future all user inside the usergroup will have the same needs concerning privileges, objects, then a usergroup is a good idea. If for example, John, Chris and Jo usually have the same work, but once/twice a year John has to do the work of Jim (he is on vacation), but Chris and Jo should not be receive Jim's privileges, then it may be aesier to grant another role to John and add this to the current roles of him than to manage this if John is member of a usergroup together with Chris and Jo (and John is not allowed to use Jim's name/password for this work). Roles are known by other databases, too. Usergroups are not. In the beginning we preferred usergroups, but now we are not sure which advise we should give. Elke SAP Labs Berlin
