Thomas Stegbauer wrote: > > hi list, > > after reading some mailinglist entries and some doc. it seems > roles are > the better usergroups
Not quite correct, with roles and usergroups some problems can be overcome, but they use different ways. And roles and usergroups have nothing to do with each other. Roles can be thought of a named set of privileges. Users, (usergroups) and roles belong to the same namespace, must have different names. Privileges can be granted/revoked to/from roles and users, roles can be granted/revoked to/from roles and users. With roles it is easy to give new users all rights needed to do their new job (just grant the role to them) and to change the privileges for all users needing the same privileges (just grant/revoke privileges to/from the role). Roles do not include any privilege after creation. The privileges have to be granted to the role. Many users may have the role granted, but in contrast to usergroups were one user always belong to one usergroup, a user may have different roles from time to time. > > the rolemember can changed afterwards (what is not possible with > usergroups without deleting that user) > > the user can be member of more than one role (is this true) > > the rolepermission can get activated by the user later with a > rolepassword > > my problems and questions: > > 1. where can i look, what roles exist? (why arent thy listed > under users > in sqlsto? or in the users view) see http://www.sapdb.org/7.4/htmhelp/9c/b33d40425326439dfc0366a8dcbf55/frameset.htm --> Roles http://www.sapdb.org/7.4/htmhelp/4b/8eb554c5767c4a80bc8f769120d247/frameset.htm > > 2. where i check what members a role has? Roles do not have members. What do you mean? A role is a named set of privileges. > > 3. who can i add a user, usergroup or an other role to a > role? i didn't > find the appropriate doc page. You have to grant privileges to a role using GRANT, you can grant roles to roles and users and you have to enable roles using the SET-statement http://www.sapdb.org/7.4/htmhelp/44/a17998442911d3a98200a0c9449261/frameset.htm which needs (depending on the role-definition) or does not need a password > > 4. to elke: i was unable to find the discussion how > permissions to all > tables can get set by a script. have you more information for me, to > find this. What you have to do is: for all users in your database whose tables have to be granted do connect with that user select tablename from tables for all tablenames returned do grant ... on tablename to ... get next tablename end commit release the session use next username end > > greetings > thomas > > p.s. if i forgot some important (dis)advantages from usergroups and > roles or if some information are wrong, please correct me. > > -- > -- > # Thomas Stegbauer > # http://www.keyserver.de:11371/pks/lookup?op=get&search=0xFF837A1A > # Key fingerprint = E469 F5DC 42FB B530 F5CB 99CB CEB2 BFC6 FF83 7A1A > > > _______________________________________________ sapdb.general mailing list [EMAIL PROTECTED] http://listserv.sap.com/mailman/listinfo/sapdb.general
