%SYSTEM.SQL.Security
abstract class %SYSTEM.SQL.Security extends %SYSTEM.Help
Method Inventory
- CheckPrivilege()
- CheckPrivilegeWithGrant()
- GrantPrivilege()
- GrantPrivilegeWithGrant()
- RevokePrivilege()
- RoleExists()
- UserExists()
Methods
classmethod CheckPrivilege(Username As %String, ObjectType As %Integer, Object As %String, Action As %String, Namespace As %String = "") as %Boolean
Check if user has SQL privilege for a particular action. This does not check grant privileges.
Parameters:1 - if the Username does have the privilege
0 - if the Username does not have the privilege
%Status - if CheckPrivilege call is reporting an error
If Username is a user with the %All role, CheckPrivilege will return 1 even if the Object does not exist.
If the user calling CheckPrivilege is not the same as Username, the calling user must hold the %Admin_Secure:"U" privilege.
Parameters:
- Username
- Name of the user to check. Required.
- ObjectType
- Required. Specifies the type to check the privilege of. ObjectTypes are 1 (table), 3 (view), 5 (schema), 6 (ml configuration), 9 (procedure).
- Object
- Required. The name the object to check the privilege of.
- For example, ObjectType and Object could be "1" and "Sample.Person", or "9" and "SQLUser.My_Procedure".
- Action
- Comma delimited string of actions letters to check privileges for. Actions are one or more of the letters "a,s,i,u,d,r,e,l" (in any order) which stands for ALTER,SELECT,INSERT,UPDATE,DELETE,REFERENCES,EXECUTE,USE (for ML Configurations). Privilege "e" is only allowed for Procedures. Privilege "l" is only allowed for ML Configurations. CheckPrivilege will only return 1 if the user has privileges on all Actions specified. Required.
- Namespace
- Namespace object resides in (optional) default is current namespace
Returns:
Notes:
Example:
- Do $SYSTEM.SQL.Security.CheckPrivilege("Miranda",3,"SQLUser.Person","s","PRODUCT")
classmethod CheckPrivilegeWithGrant(Username As %String, ObjectType As %Integer, Object As %String, Action As %String, Namespace As %String = "") as %Boolean
Check if user has SQL grant privilege for a particular action.
Parameters:1 - if the Username does have the privilege
0 - if the Username does not have the privilege
%Status - if CheckPrivilegeWithGrant call is reporting an error
If Username is a user with the %All role, CheckPrivilegeWithGrant will return 1 even if the Object does not exist.
If the user calling CheckPrivilegeWithGrant is not the same as Username, the calling user must hold the %Admin_Secure:"U" privilege.
Parameters:
- Username
- Name of the user to check. Required.
- ObjectType
- Required. Specifies the type to check the grant privilege of. ObjectTypes are 1 (table), 3 (view), 5 (schema), 6 (ml configuration), 9 (procedure).
- Object
- Required. The name the object to check the grant privilege of.
- For example, ObjectType and Object could be "1" and "Sample.Person", or "9" and "SQLUser.My_Procedure".
- Action
- Comma delimited string of actions letters to check grant privileges for. Actions are one or more of the letters "a,s,i,u,d,r,e,l" (in any order) which stands for ALTER,SELECT,INSERT,UPDATE,DELETE,REFERENCES,EXECUTE,USE (for ML Configurations). Privilege "e" is only allowed for Procedures. Privilege "l" is only allowed for ML Configurations. CheckPrivilegeWithGrant will only return 1 if the user has grant privileges on all Actions specified. Required.
- Namespace
- Namespace object resides in (optional) default is current namespace
Returns:
Notes:
Example:
- Do $SYSTEM.SQL.Security.CheckPrivilegeWithGrant($username,1,"HHR.ProductionValues","s,i,u,d","USER")
classmethod GrantPrivilege(ObjPriv As %String, ObjList As %String, Type As %String, User As %String) as %Status
GrantPrivilege lets you grant an ObjPriv to a User via this call instead of using the SQL GRANT statement.
This does not include grant privileges.
$SYSTEM.SQL.Security.GrantPrivilege(ObjPriv,ObjList,Type,User)
-
Parameters:
- ObjPriv
- Comma delimited string of actions to grant. * for all actions:
- Alter
- Select
- Insert
- Update
- Delete
- References
- Execute
- Use
- or any combination
- ObjList
- * for all objects, else a comma delimited list of SQL object names (tables, views, procedures, schemas)
- Type
- Table, View, Schema, Stored Procedures, or ML Configuration
- User
- Comma delimited list of users
classmethod GrantPrivilegeWithGrant(ObjPriv As %String, ObjList As %String, Type As %String, User As %String) as %Status
GrantPrivilegeWithGrant lets you grant an ObjPriv, WITH GRANT OPTION, to a User
$SYSTEM.SQL.Security.GrantPrivilegeWithGrant(ObjPriv,ObjList,Type,User)
-
Parameters:
- ObjPriv
- Comma delimited string of actions to grant. * for all actions:
- Alter
- Select
- Insert
- Update
- Delete
- References
- Execute
- Use
- or any combination
- ObjList
- * for all objects, else a comma delimited list of SQL object names (tables, views, procedures, schemas)
- Type
- Table, View, Schema, Stored Procedure, or ML Configuration
- User
- Comma delimited list of users
classmethod RevokePrivilege(ObjPriv As %String, ObjList As %String, Type As %String, User As %String, wGrant As %Integer = 0, Cascade As %Integer = 0, AsGrantor As %String = "") as %Status
RevokePrivilege lets you revoke an ObjPriv from a User via this call instead of using the SQL REVOKE statement
$SYSTEM.SQL.Security.RevokePrivilege(ObjPriv,ObjList,Type,User,wGrant,Cascade,AsGrantor)
-
Parameters:
- ObjPriv
- Comma delimited string of actions to grant. * for all actions:
- Alter
- Select
- Insert
- Update
- Delete
- References
- Execute
- Use
- or any combination
- ObjList
- * for all objects, else a comma delimited list of SQL object names (tables, views, procedures, schemas)
- Type
- Table, View, Schema, ML Configuration, or Stored Procedures
- User
- Comma delimited list of users
- wGrant
- 0/1 for WITH GRANT OPTION
- Cascade
- 0/1 cascade revoke?
- AsGrantor
- Alternate User to remove privileges for. AsGrantor can be a user name, a comma-separated list of user names, or "*".
classmethod RoleExists(rolename As %Library.String = "") as %Library.Boolean [ SQLProc = Security_RoleExists ]
Projected as the stored procedure: Security_RoleExists
This entry point can be used to determine if a role exists.
Parameters:
Parameters:
- rolename
- Name of the role to check.
Examples:
- Write $SYSTEM.SQL.Security.RoleExists("SalesManager") // Writes a 1 if role SalesManager exists
classmethod UserExists(username As %Library.String = "") as %Library.Boolean [ SQLProc = Security_UserExists ]
Projected as the stored procedure: Security_UserExists
This entry point can be used to determine if a user exists.
Parameters:
Parameters:
- username
- Name of the user to check.
Examples:
- Write $SYSTEM.SQL.Security.UserExists("Robert") // Writes a 1 if user Robert exists