http://developer.mimer.com

Ident Structure

---

In the initial installation, one user ident, the system administrator with user ident name SYSADM, is automatically created.

SYSADM Privileges

The system administrator has the following privileges:

• BACKUP
• DATABANK
• IDENT
• SCHEMA
• SHADOW

The system administrator has the following options and access rights.

• GRANT OPTION
• SELECT access on all tables and views in the data dictionary.

The system administrator is ultimately responsible for the structure of the whole system. In other respects, however, the system administrator is an ordinary user ident in the system.

There is no ident in Mimer SQL with automatic right of access to all objects within the system.

It is quite possible, and may be advisable especially in large system, that the system administrator is prevented from accessing the actual contents of the database; the system administrator's job is to manage objects in the system, not work on the data.

About System Utilities

Certain system utilities may only be run by idents with BACKUP or SHADOW privilege, see the Mimer SQL System Management Handbook.

When granting privileges, the keyword PUBLIC refers to a logical group that covers all idents in the database, including those created in the future.

Recommendations for Ident Structure

The following general recommendations can be made for structuring the idents in a system:

• Functional roles within the system, generally defined by one or more applications that are run, should be assigned to program idents. These are not coupled to any physical individual or group of individuals and thus have a lifetime independent of turnover of personnel.

  The system administrator is just such a function, but is coupled to a user ident rather than a program ident for practical purposes.

• People accessing the system are represented by USER or OS_USER idents. They may be dropped if the person concerned leaves the company.
  User idents should not be granted privileges directly, other than membership in groups. OS_USER idents are allowed access to the database on the authorization of a valid log-in to the operating system. For maximum protection, do not use OS_USER idents.
• Group idents are used to represent logical users of the system. Privileges are granted to groups rather than to individual programs or users. The individual idents are granted membership in the group to which they belong, and thereby gain the correct access to the system.
• USER and OS_USER idents should not in general be granted privileges to create objects (i.e. granted DATABANK, IDENT, SCHEMA, SHADOW or TABLE privileges). In this way, individual user idents may be dropped with no cascading effects except loss of views created by the user.
• WITH GRANT OPTION should be used sparingly and the ident hierarchy kept shallow. This minimizes the chance of undesired cascading revocation of privileges.

If these recommendations are followed, maintenance of the ident structure in the system is simplified. Access to the contents of the database is granted to relatively few group idents instead of many individual programs or users, and when a physical individual leaves the company, their user ident can be dropped with no cascading consequences.

Upright Database Technology AB Voice: +46 18 780 92 00 Fax: +46 18 780 92 40 dbtechnology@upright.se