limit the definition of roles

Primary tabs



If you want to protect the database, start by creating a resource via the options Security Management > Resources  in  the management portal,  giving it an appropriate name that makes sense to you - for example, if your database is called "myAppDB", create a security resource "%DB_MYAPPDB".

Prefixing with '%DB' in the name is convention, not a requirement.  During setup, add a description, and, select whether by default, users have Read, Write and/or Use privileges.  

This is only the first step.  Now that you have an identifiable security asset you want to secure, you can proceed.

You need to decide how users that fall under this new role of yours, will interact with this DB, so you need to build up this role definition accordingly. Using the Security Management > Roles section, select your new role, and, add the Database resource that protects your database (in my example above '%DB_MYAPPDB'), identifying if users of this role can only READ or can also WRITE data in this database.

This action assigns the privilege for this database afforded to users who belong to this new role.

Actually working with this database, however, would require that you add some resources to this role.  For example, if these users are developers, and you want to give these developers access for development, then, add the %Development resource to your new role too.

You will also need to more than likely add a %Service_ type resource that allows users of this role service access into Cache, for example, via TELNET, or via ODBC, etc.  Your requirements will differ from others, but is Studio access is required, definitely include %Service_Object (Use).

Finally - have a look at a pre-defined Role on the system called a "%Developer" which is setup by default on most installations., and is something you can use for reference.  Have a look at this role, and its resources+permissions (privileges) you will see it has some databases under protection, and allows %Development, and a bunch of %Service_ resource types for allowing different access, as explained above.