Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Granular permissions not very intuitive

Using granular permissions on ASE 15.7 shows some non-intuitive behavior

Sybooks says permission "Update Any Security Catalog" is required for:

Updating, inserting, and deleting these security-related system catalogs, which are restricted from direct update

master.dbo.syslogins
master.dbo.syssrvroles
master.dbo.sysloginroles
db.dbo.sysroles
db.dbo.sysprotects

That makes sense, any direct update on this should require special permissions

Then there's the permission "Manage any statistics": Update or delete statistics on any table owned by anyone

However, permission "manage any statistics" is not sufficient for some tables

update index statistics sysroles

go

Msg 10331, Level 14, State 2:

Server 'ASE157', Line 1:

Permission denied, database testdb, owner dbo. You need the following permission(s) to run this command: UPDATE ANY SECURITY CATALOG.

update index statistics sysprotects

go

Msg 10330, Level 14, State 1:

Server 'ASE157', Line 1:

UPDATE STATISTICS permission denied on object sysprotects, database testdb, owner dbo

Very non-intuitive behavior.

I've raised a case with support, but they just say updating sysroles requires update any security catalog

IMHO update stats is not updating the table, manage any statistics should be sufficient

What do you think about this?

Hit any similar issues with granular permissions?

Not what you were looking for? View more on this topic or Ask a question