Library /sys$common/syshlp/SQL$HELP72.HLB  —  ALTER  DATABASE  Arguments  SECURITY_CHECKING
    Traditionally Oracle Rdb has performed security checking using
    the operating system security layer (for example, the UIC and
    rights identifiers of the OpenVMS operating system).

    The access control list (ACL) information stored in the database
    contains a granted privilege mask and a set of users represented
    by a unique integer (for example, a UIC).

    There are two modes of security checking:

    1. SECURITY CHECKING IS EXTERNAL

       This is the default. External security checking recognizes
       database users as operating system user identification codes
       (UICs) and roles as special rights identifiers or groups.
       PERSONA support is enabled or disabled as follows:

       o  SECURITY CHECKING IS EXTERNAL (PERSONA SUPPORT IS ENABLED)

          Enables the full impersonation of an OpenVMS user. This
          means the UIC and the granted right identifiers are used to
          check access control list permissions.

       o  SECURITY CHECKING IS EXTERNAL (PERSONA SUPPORT IS DISABLED)

          Disables the full impersonation of an OpenVMS user. Only
          the UIC is used to check access control list permissions.
          This is the default for a new database, or for a database
          converted from a prior version of Oracle Rdb.

    2. SECURITY CHECKING IS INTERNAL

       In this mode, Oracle Rdb records users (username and UIC) and
       roles (rights identifiers) in the database. The CREATE USER
       and CREATE ROLE statements perform this action explicitly, and
       GRANT will perform this implicitly. This type of database can
       now be moved to another system and is only dependent on the
       names of the users and roles.

       o  SECURITY CHECKING IS INTERNAL (ACCOUNT CHECK IS ENABLED)

          The ACCOUNT CHECK clause ensures that Oracle Rdb validates
          the current database user with the user name (such as
          defined with a CREATE USER statement) stored in the
          database. This prevents different users with the same name
          from accessing the database. Therefore, this clause might
          prevent a breach in security.

          The ACCOUNT CHECK IS ENABLED clause on OpenVMS forces the
          user session to have the same user name and UIC as recorded
          in the database.

       o  SECURITY CHECKING IS INTERNAL (ACCOUNT CHECK IS DISABLED)

          If you specify the ACCOUNT CHECK IS DISABLED clause, then
          a user with a matching UIC (also called a profile-id) is
          considered the same as the user even if his or her user
          name is different. This allows support for multiple OpenVMS
          users with the same UIC.
Close Help