Archives of the TeradataForum
Message Posted: Tue, 08 Apr 2003 @ 16:54:53 GMT
Subj: | | Re: V2R5 - Roles and Profiles? |
|
From: | | Gardner, Scott |
The role feature is very nice and greatly simplifies security administration - put users into role, grant privileges on objects to role,
set user's default role (don't forget that last step). We do have one issue which seems to be specific to NT and two levels of roles.
I create two role "levels" - a user group role and a subject area role. I grant a user group role to all users in a functional area
(e.g. ug_sales). I grant data object privileges on all databases/tables/views in a subject area (e.g. sa_invoice) to a subject area role.
I then have a situation where administering security is done by simply granting subject area roles to user roles (e.g. grant sa_invoice to
ug_sales).
This works great, except for NT clients which quite often get the "user does not have select to ..." message. If they immediately re-run
the query, no error message. Run it again, maybe an error, maybe not. My current workaround is to use only one level of roles for NT users
(I grant data privileges directly to the user group role). I have not had any problems so far with the workaround - and as I said, this is
isolated to NT (works fine on Win2k). I will be opening an incident when I gather more data.
Once this issue is resolved, I can't imagine not using roles for security administration.
- Scott
|