Hi,
We are managing permissions through roles for application team members. We are encountering a permission issue post migration. We noticed that even though the roles have been granted to the logins, the user gets stuck with permission denied error.
We tried to dig deep by checking the roles and the login-role mapping in master database. The roles have all the permissions on the tables and the login is mapped to the role in sysloginroles table.
Our onshore DBA worked on this and provided the below explanation:
Whenever a role is created the role gets added in the syssrvroles table. When the role is granted permissions in a database the role gets added to the sysroles and sysusers table in the user database(Don't remember where it is added first). When migration happened, the new server has additional roles and due to the role ID mismatch the logins are getting mapped to wrong roles internally and users encounter permission denied issues.
I did understand this concept and agreed but he asked us to delete the entry for the problematic user in master database sysusers table. I did not understand this and asked him to explain further. He explained me how the permission check actually works in sybase ASE. However, I still do not seem to understand the permission checking procedure in sybase ASE.
It would be great if someone could throw some light on this issue. I would like to know the purpose of the sysroles table in master and user databases and how the permission checking happens when the permissions are granted through roles.
Please find the details below:
Pre-migration
Sybase ASE version: 12.5.4
Post migration
Sybase ASE version: 16.0
Many thanks.
--Nandy