In the initial installation, one user ident, the system administrator with user ident name
SYSADM, is automatically created.
The system administrator has the following privileges (with grant option):
The system administrator is ultimately responsible for the structure of the whole system. In other respects, however, the system administrator is an ordinary user ident in the system.
There is no ident in Mimer SQL with automatic right of access to all objects within the system.
It is quite possible, and may be advisable especially in large system, that the system administrator is prevented from accessing the actual contents of the database; the system administrator's job is to manage objects in the system, not work on the data.
About System Utilities
Certain system utilities may only be run by idents with
SHADOWprivilege, see the Mimer SQL System Management Handbook.
When granting privileges, the keyword
PUBLICrefers to a logical group that covers all idents in the database, including those created in the future.
Recommendations for Ident Structure
The following general recommendations can be made for structuring the idents in a system:
- Functional roles within the system, generally defined by one or more applications that are run, should be assigned to program idents. These are not coupled to any physical individual or group of individuals and thus have a lifetime independent of turnover of personnel.
- People accessing the system are represented by
USERidents. They may be dropped if the person concerned leaves the company.
User idents should not be granted privileges directly, other than membership in groups. A
USERident with an
OS_USERlogin is allowed access to the database on the authorization of a valid log-in to the operating system.
- Group idents are used to represent logical users of the system. Privileges are granted to groups rather than to individual programs or users. The individual idents are granted membership in the group to which they belong, and thereby gain the correct access to the system.
USERidents should not in general be able to create objects. This is performed by specifying
WITHOUT SCHEMAwhen the user is created. In this way, individual user idents may be dropped with no cascading effects.
WITH GRANT OPTIONshould be used sparingly and the ident hierarchy kept shallow. This minimizes the chance of undesired cascading revocation of privileges.
If these recommendations are followed, maintenance of the ident structure in the system is simplified. Access to the contents of the database is granted to relatively few group idents instead of many individual programs or users, and when a physical individual leaves the company, their user ident can be dropped with no cascading consequences.
Mimer Information Technology AB
Phone: +46 18 780 92 00