|
|
Archives of the TeradataForum
Message Posted: Tue, 21 Nov 2006 @ 18:26:01 GMT
Subj: | | Re: Grant Option Cannot be Granted to a Role |
|
From: | | Fred W Pluebell |
Create an "all powerful" admin dummy user and under that ID create SPs that use dynamic SQL to do other GRANTs. Grant the "DBA role" EXECUTE
PROCEDURE on the admin SPs. (Security admin may want to REVOKE LOGON from this admin dummy user once it's all set up, but would have to GRANT
LOGON temporarily if you needed to change the SPs later.)
The SP logic can help enforce other policy rules, e.g. don't GRANT ... WITH GRANT OPTION. Also, this approach allows DBAs to grant roles /
rights without having to hold those rights themselves.
| |