So I've been experimenting to try and understand Informix permissions.

Looking at the sysuser table, there are 3 entries. One of those three is
"public". Is "public" a special user? Do users that connect to
Informix but don't exist in the sysuser table get the "public"
permissions?

I ask this, because if I connect as a user that exists on the server but
not within Informix, I seem to have full privileges to select, create,
update, delete anything I want. I want to understand how best to lock
things down a little bit. It would be nice to prevent everybody from
being able to connect and view the HR/Payroll data for instance -- or to
alter their scholastic records, etc.

How do others manage database permissions?

Brian McLaughlin
Administrative Computing
George Fox University
(503) 554-2587


sending to informix-list

Brian McLaughlin wrote:
> So I've been experimenting to try and understand Informix permissions.
>
> Looking at the sysuser table, there are 3 entries. One of those three is
> "public". Is "public" a special user?

Yes.

> Do users that connect to
> Informix but don't exist in the sysuser table get the "public"
> permissions?

Yes.

> I ask this, because if I connect as a user that exists on the server but
> not within Informix, I seem to have full privileges to select, create,
> update, delete anything I want. I want to understand how best to lock
> things down a little bit. It would be nice to prevent everybody from
> being able to connect and view the HR/Payroll data for instance -- or to
> alter their scholastic records, etc.

Regular users also get public permissions added to their own permissions.

> How do others manage database permissions?

Investigate NODEFDAC as an environment variable. Or simply do REVOKE
ALL ON newtable FROM PUBLIC; whenever you create a table. Then give
only the permissions you must. And don't forget, everyone gets public
permissions plus their own permissions; you can't make anyone's
permissions more restrictive than the general public.

--
Jonathan Leffler #include <disclaimer.h>
Email: jleffler@earthlink.net, jleffler@us.ibm.com
Guardian of DBD::Informix v2005.01 -- http://dbi.perl.org/

Rather than experiment, it might be time to read the appropriate
section of the manual

check out

http://publib.boulder.ibm.com/infoce...help/index.jsp

and in the search box in the top left type "privileges"

choose the first article :

Privileges on a Database and on its Objects


Brian McLaughlin wrote:
> So I've been experimenting to try and understand Informix
permissions.
>
> Looking at the sysuser table, there are 3 entries. One of those three
is
> "public". Is "public" a special user? Do users that connect to
> Informix but don't exist in the sysuser table get the "public"
> permissions?
>
> I ask this, because if I connect as a user that exists on the server
but
> not within Informix, I seem to have full privileges to select,
create,
> update, delete anything I want. I want to understand how best to
lock
> things down a little bit. It would be nice to prevent everybody from
> being able to connect and view the HR/Payroll data for instance -- or
to
> alter their scholastic records, etc.
>
> How do others manage database permissions?
>
> Brian McLaughlin
> Administrative Computing
> George Fox University
> (503) 554-2587
>
>
> sending to informix-list