To ensure that users have only the authorizations that they need for their work, we recommend the following measures:
? Create an authorization concept that specifies clear authorizations for individual users:
0 Define which database users are to have access to which data.
0 Define which Database Manager operators are to carry out which administration tasks.
? Create a separate database user for each person who works with the database instance. In doing this, use the user classes STANDARD and RESOURCE where possible.
? Distribute the administration tasks. In addition to defining the database system administrator, define database users of the user class DBA and Database Manager operators.
? Assign Database Manager operators only those server authorizations that they really need.
In some cases it can make sense to create a Database Manager operator that can check the operational state of the database instance but cannot perform any administration tasks.
On Microsoft Windows, use the database tool Database Manager GUI:
Database Manager GUI, Creating/Changing/Deleting a Database User
In other operating systems, use the database tool SQLCLI and the corresponding SQL statements for the authorization of users:
SQLCLI, Executing an SQL Statement
SQL Reference Manual, Authorization
To create Database Manager operators, use the database tool Database Manager:
Database Manager GUI, Creating/Changing/Deleting a Database Manager Operator
Database Manager CLI, user_create
To adjust the server authorizations of Database Manager operators, use the database tool Database Manager:
Database Manager GUI: Changing the Server Authorizations
Database Manager CLI: user put