Using granular permissions on ASE 15.7 shows some non-intuitive behavior
Sybooks says permission "Update Any Security Catalog" is required for:
Updating, inserting, and deleting these security-related system catalogs, which are restricted from direct update
| master.dbo.syslogins | |
| master.dbo.syssrvroles | |
| master.dbo.sysloginroles | |
| db.dbo.sysroles | |
| db.dbo.sysprotects |
That makes sense, any direct update on this should require special permissions
Then there's the permission "Manage any statistics": Update or delete statistics on any table owned by anyone
However, permission "manage any statistics" is not sufficient for some tables
update index statistics sysroles
go
Msg 10331, Level 14, State 2:
Server 'ASE157', Line 1:
Permission denied, database testdb, owner dbo. You need the following permission(s) to run this command: UPDATE ANY SECURITY CATALOG.
update index statistics sysprotects
go
Msg 10330, Level 14, State 1:
Server 'ASE157', Line 1:
UPDATE STATISTICS permission denied on object sysprotects, database testdb, owner dbo
Very non-intuitive behavior.
I've raised a case with support, but they just say updating sysroles requires update any security catalog
IMHO update stats is not updating the table, manage any statistics should be sufficient
What do you think about this?
Hit any similar issues with granular permissions?