CHAPTER 10 Managing User IDs and Permissions
363
sp_helptext
sp_name_in_question
Managing groups
Once you understand how to manage permissions for individual users (as
described in the previous section) working with groups is straightforward. A
group is identified by a user ID, just like a single user, but this user ID is
granted the permission to have members.
DBA, RESOURCE,
and GROUP
permissions
When permissions on tables, views, and procedures are granted to or revoked
from a group, all members of the group inherit those changes. The DBA,
RESOURCE, and GROUP permissions are not inherited: they must be
assigned individually to each individual user ID requiring them.
A group is simply a user ID with special permissions. Granting permissions to
a group and revoking permissions from a group are done in exactly the same
manner as any other user, using the commands described in “Managing
individual user IDs and permissions”.
A group can also be a member of a group. A hierarchy of groups can be
constructed, each inheriting permissions from its parent group.
A user ID may be granted membership in more than one group, so the user-to-
group relationship is many-to-many.
The ability to create a group without a password enables you to prevent
anybody from signing on using the group user ID. This security feature is
discussed in “Groups without passwords”.
Creating groups
❖ To create a group with a name and password:
1 Connect to the database as a user with DBA authority.
2 Create the group's user ID just as you would any other user ID, using the
following SQL statement:
GRANT CONNECT
TO personnel
IDENTIFIED BY group_password