602SQL Documentation Index  

Roles and Application Privileges

Roles allow you to grant user privileges to specific actions or data in an application. The application author defines roles according to the application logic and assigns privileges to them. The application administrator assigns users or groups to these roles and therefore grants them appropriate privileges.

For example, in an order system there is an action, "Create new invoice". Only some users are desired to have the privilege to execute this action. Therefore:

  1. The application author creates the "Invoice clerk" role and grants it all the necessary privileges to create an invoice. Such as the privileges to insert a record into the table of invoices and into the table of invoice items, etc.
  2. The application administrator assigns users to the "Invoice clerk" role that will have the privileges to create invoices, or alternatively to a group of users that belong to the invoice department.

The application author has no way of telling which users will use the application, therefore he cannot grant them any privileges. The application administrator does not know the internal logic of the application and does not know what objects are utilized and when. The roles therefore offer a connection between the application author and application administrator.

Standard Roles

Four standard roles are established when creating a new application. These privileges are granted to the standard roles when a new object is created in this application:
Standard role Default privilege
Author Privilege to modify or delete all objects in the application.
Administrator Privilege to read and write data in all tables and use all objects.
Senior_user Privilege to read and write data in all tables and use all objects.
Junior_user Privilege to read data in all tables and use all objects.

The standard roles only serve the most common situations. The application author may change the privileges at anytime and may even remove these roles from the application.

The Administrator role has privileges that cannot be removed. The privilege to assign users and groups into roles and the privilege to delete the entire application.

Creating Roles

A role in an application can be created using the CREATE ROLE SQL statement, and deleted using the DROP ROLE SQL statement. The role name may not begin with a number.

Assigning Roles

The privilege to assign subjects to roles is granted to the application administrator (the user assigned to the Administrator role in the same application) and also to the security administrator (for solving special situations).

In a locked application, the Author role is disabled.

Creating a New Application

The application owner is assigned both to the Author and Administrator in a newly created application. Privileges granted to the standard roles for new objects are described above.

If it is desired by the author that some component can be modified during application runtime, the author should grant the privilege to overwrite it to any role (other than the Author role).

If it is desired by the author that the privileges to data in some table(s) must be restricted, the author should remove these privileges from the standard roles. A table containing confidential user documents should have record-level privileges enabled and global privilege to all records should not be enabled for any role, not even for the Administrator role.

Deleting an Application or Application Components

The user(s) assigned to the Administrator, Author, or Security Administrator roles may delete an entire application. Applications can be deleted using the DROP SCHEMA SQL statement or from the Control Panel of the client. Privileges for separate components are not checked when deleting the entire application.

Deletion of individual objects is handled by the delete privilege for each object. This privilege is granted to the user that created the object and to the Author role by default. If this privilege is not explicitly granted to other roles, no one may delete components in a locked application.

Application Import and Export

An application may be exported for the following purposes:

In the second case, the application is exported in a locked state.

After application import, the user that performed the import is assigned to the Administrator role. He is not granted any further privileges besides that. To alter an application components depends on the exported application state:

The Everybody group is assigned to the Junior_user role after an application is imported.