 |
 |
Archives of the TeradataForum
Message Posted: Mon, 23 Dec 2002 @ 13:52:18 GMT
| Subj: | | Re: Access Rights |
| |
| From: | | Geoffrey Rommel |
| | I have a database with several tables, views and macros. What is the most efficient way to grant the following to ALL users: | |
| | No one should be able to access a table. | |
| | Everyone should be able to access any one of dozens of views. | |
| | Everyone should have the ability to execute any one of 7 macros. | |
The best way, Jim, would be to separate the tables (db_of_tables) from the views and macros (db_of_views). This is fairly standard
procedure in Teradata-land. You would then grant the following:
grant select
on db_of_tables
to db_of_views
with grant option;
grant select, execute
on db_of_views
to [ALL group_of_users, or a role, or PUBLIC, or individual ID's];
As Dave mentioned, if you must keep everything in the same database, you must grant the rights on every object individually.
Yuk.
Since you aren't a DBA, you probably aren't aware of why this is undesirable. The reason is that nearly every access right you grant
will insert a new row into DBC.AccessRights. If you grant, say, select and execute to a database, as in the statements above, only one row
will be inserted into the table; it will have a TableName of 'All' and a ColumnName of 'All' (or actually '00'xb, which means 'All'). There
will still be one row per user, but at least there will only be one row per database. If you have 500 users, this will result in 500 rows.
If, however, you grant access on individual objects, a row will be inserted for each object and each user. If there are 100 objects in the
database and 500 users, you will need 50,000 rows in AccessRights just for this one database. Now, keep in mind that AccessRights has to be
searched every time anyone runs a query. Probably most of these searches are one- or two-AMP operations, but cutting down on the number of
rows always
helps.
--wgr
| |
