Download presentation
Presentation is loading. Please wait.
1
10 Administration etc.
2
User Admin. And Security
3
Data Security Sybase IQ allows privacy of appropriate information within the database Security is implemented at various levels: Users Groups Object/command-level permissions April 16, 2019
4
Users You should set up individual user IDs for each user
Lets you tell which connections are which users DBA (Database Administrator or database owner) has authority to add new users April 16, 2019
5
Users and Groups User Groups Users in groups
A login can access a database Groups Enables a collective name for a set of users Simplifies administration Users in groups SYS group PUBLIC group The SYS group owns all system tables in the IQ Catalog Store. There is no login for SYS You cannot interactively change any data in tables owned by SYS April 16, 2019
6
Special User DBA User This is the initial user in a database
Password is SQL Responsible for the overall management of the database Adds new users and allocates permissions Authority to create all database objects Has DBA Authority Has Resource Authority DBA is also referred to as the Database Administrator or Database Owner Case Sensitivity for DBA User ID: If a database was created as Case Respect then the DBA user name and password must be in upper case If database was created as Case Ignore then user name and password are also case insensitive Authorities are covered on the next page April 16, 2019
7
Authorities DBA Authority Resource Authority
Overall authority for database management Manages users and permissions in the database Required for Create, Backup and Restore database commands May be granted to other users Resource Authority Required to create objects in a database May be granted to other users by a user with DBA Authority Resource Authority is a subset of DBA Authority. April 16, 2019
8
Adding Users to the Server
There are three methods to add users to your server Grant Connect Sybase Central Wizard sp_iqaddlogin Any of these methods may be used sp_iqaddlogin provides more functionality for user and password management sp_iqaddlogin and the added functionality was added in version 12.5 April 16, 2019
9
Creating Users - Grant Connect
DBISQL Syntax: GRANT CONNECT TO userid [,...] IDENTIFIED BY password [,...] Example: GRANT CONNECT TO laura_smith IDENTIFIED BY secret; To create a user with no password, type: GRANT CONNECT TO userid A user with no password cannot connect to the database. This user is useful when you are creating groups. April 16, 2019
10
Changing a Password Syntax:
GRANT CONNECT TO userid [,...] IDENTIFIED BY password [,...] Notice this is the same command to add a new user For this reason, if you inadvertently enter the user ID of an existing user when you mean to add a new user, you are actually changing the password of the existing user No warning is issued since this behavior is considered normal April 16, 2019
11
Creating Users with Sybase Central
1. Connect to the database 2. Click Users and Groups folder 3. Double-click Add User 4. Follow wizard Remember the server's case sensitivity is honored Continued … April 16, 2019
12
Managing User Accounts
Stored Procedures for Managing User Accounts sp_iqaddlogin sp_iqprocess_login sp_iqdroplogin sp_iqlistexpiredpasswords sp_iqlistlockedusers sp_iqlistpasswordexpirations sp_iqlocklogin sp_iqmodifyadmin sp_iqmodifylogin sp_iqpassword Examples of some to follow…. We will discuss some of these system stored procedures. DBA Authority is required to execute these stored procedures. April 16, 2019
13
Add New User - sp_iqaddlogin
Syntax: sp_iqaddlogin (loginname, password, [number_of_connections] [,password_expiration]) Two parameters are required, two are optional. April 16, 2019
14
sp_iqaddlogin This procedure has several functions
Add a new user and assign a password Limit the number of connections for a user (optional) 0 is default (no limit) Establish a password expiration interval (optional) Interval is in days 0 is default (no expiration) Allowable range is 0 to 32,767 April 16, 2019
15
Managing Users You may enable user administration to provide more control over users To enable this functionality execute: sp_iqmodifyadmin enable After 'enabling', users added with sp_iqaddlogin will be listed in a user administration table: IQ_USER_LOGIN_INFO_TABLE User Administration is NOT enabled by default. You must enable this functionality with this stored procedure. The user administration table is known as IQ_USER_LOGIN_INFO_TABLE Users added using Sybase Central or Grant Connect cannot be 'administered.' You must add (or re-add) the user with sp_iqaddlogin April 16, 2019
16
IQ_SYSTEM_LOGIN_INFO_TABLE
Contains one row with the default values for IQ User Administration Used for connection and password control The user_admin_enable field indicates if the IQ User Administration is enabled This is a system table which is used with user administration. This table contains the default values for number of connections and for password administration. The stored procedure on the next page is used to change the default values for this table. April 16, 2019
17
sp_iqmodifyadmin Enables user administration and modifies account information in IQ_SYSTEM_LOGIN_TABLE Syntax: sp_iqmodifyadmin ({[enable|disable|user_connections| db_connections|password_expiration|password_warning]},[value]) Use this stored procedure to change the defaults for all users. sp_iqmodifyadmin [ enable | disable ] - enables or disables user administration in the server If you execute with 'disable' then none of the limits below are effective. sp_iqmodifyadmin user_connections n – sets as a default the maximum number of connections per user default = 0 meaning no limit Allowable values are 0 to 32,767 sp_iqmodifyadmin password_expiration n – sets as a default the number of days a password is valid sp_iqmodifyadmin password_warning n – sets the number of days before a password expires that a warning message is sent to the user default = 0 meaning no warnings April 16, 2019
18
sp_iqmodifylogin Manipulates data in the IQ_USER_LOGIN_INFO_TABLE
Syntax: sp_iqmodifylogin ({loginname | all overrides }, option, value) This procedure modifies a user (or all users) in the IQ_USER_LOGIN_INFO_TABLE loginname | all overrides 'loginname' is used to identify a particular user 'all overrides' will affect all users EXCEPT the DBA option, value password_expiration , n – to set the password expiration interval to n days for one or all users. number_of_connections, n – to set the limit on the number of connections for one or all users. April 16, 2019
19
Managing Password Expiration
Two stored procedures To add or change a password for an IQ user account sp_iqpassword(caller_password, new_password [,loginname]) caller_password is the old password or the DBA’s password To list all users with expired passwords sp_iqlistexpiredpasswords April 16, 2019
20
Locking User Accounts To lock an IQ user account so that user cannot log in use: sp_iqlocklogin (loginname, [lock | unlock ]) To list user accounts that are locked out of the database: sp_iqlistlockedusers You may want to lock a user login (rather than drop) when a user owns an object in the database but you no longer want that user to be able to login. Consider the case where a Group user who created all the database objects is locked out from connecting but retains ownership of all objects. April 16, 2019
21
Failed Connection This user will need to contact the DBA to access the database. April 16, 2019
22
sp_iqdroplogin To drop an IQ user account from the database and User Administration sp_iqdroplogin (userid) You cannot drop a user if the user owns any objects in the database. April 16, 2019
23
Groups Groups are commonly used in Sybase IQ databases
A Group typically owns all (or some) database objects Rather than the DBA Facilitates managing permissions April 16, 2019
24
Special Groups SYS group PUBLIC group
Owner of all system tables and views for the database Automatically created, no password Cannot connect to the database as SYS PUBLIC group Member of the SYS group with read access for some of the system tables and views Any new user is automatically a member of the PUBLIC group This is configurable Automatically created with connect permissions to the database Can use REVOKE to remove membership in these groups REVOKE syntax to follow April 16, 2019
25
Creating Groups DBISQL Syntax: Allows the user to have members
GRANT GROUP TO userid Allows the user to have members Example: GRANT CONNECT TO marketing; GRANT GROUP TO marketing; This example creates a user (marketing) with no password. You can not connect to the database with the marketing user. In Sybase Central: 1. Connect to the database. 2. Click the Users and Groups folder. 3. Double-click Add Group. 4. Follow wizard. April 16, 2019
26
Adding a User to a Group DBISQL Syntax: Example:
GRANT MEMBERSHIP IN GROUP group-name TO userid Example: GRANT MEMBERSHIP IN GROUP marketing TO laura_smith Must have already granted connect permission to laura_smith Steps to create a user in a group: 1. GRANT CONNECT TO laura_smith; 2. GRANT CONNECT TO marketing; 3. GRANT GROUP TO marketing; 4. GRANT MEMBERSHIP IN GROUP marketing TO laura_smith; April 16, 2019
27
Table and View Permissions
Syntax: GRANT { ALL | ALTER | DELETE | INSERT | REFERENCES | UPDATE | SELECT [ ( column-name [,...])] ... ON table-name TO userid [,...] [WITH GRANT OPTION] Example: GRANT SELECT ON customer TO laura_smith There are several ways to grant user permissions in Sybase Central: Userid’s inherit the permissions that are granted/revoked to the group that they are a member of See Chapter 10, “Managing User IDs and Permissions,” in the Sybase IQ Administration and Performance Guide April 16, 2019
28
Stored Procedure Permissions
Must have EXECUTE permission to execute a stored procedure Similar to granting permissions on tables and views Example: GRANT EXECUTE ON my_procedure TO laura_smith Procedures execute with the permissions of their owners Must be done individually on each stored procedure i.e. Cannot use wildcards Any procedure that inserts or deletes from a table will execute successfully only if the owner of the procedures has the correct level of permissions. Therefore, the owner must have INSERT or DELETE permission on that table. You can grant user permissions on procedures in Sybase Central. See Chapter 10, “Managing User IDs and Permissions,” in the Sybase IQ Administration and Performance Guide. April 16, 2019
29
REVOKE Statement The REVOKE statement is the exact converse of the GRANT statement Example: REVOKE SELECT ON customer FROM laura_smith April 16, 2019
30
Permissions Hierarchy
April 16, 2019
31
Database Object Names and Prefixes
Every database object is an identifier; up until now all database objects have been referred to using their simple name Example: SELECT * from employee Tables, procedures and views all have an owner SELECT * from "DBA".employee When referring to a database object, a prefix is required unless: You are the owner of the object The database object is owned by a group ID of which you are a member This is an important difference between Sybase ASE and Sybase IQ. Unless you are the user owning a table or a member of the Group that owns the table you must fully qualify the table with the owner name. You CANNOT change table ownership in Sybase IQ. You should consider having a Group own all tables in your database rather the DBA or other user. If a user (other than DBA) has created all the table you can make that user a Group and add other users to that group. April 16, 2019
32
Backup
33
Backup Three Types of Backup
FULL backup INCREMENTAL backup INCREMENTAL-since-FULL backup All will backup the IQ Store and the Catalogue Store The IQ Temporary Store is never backed up April 16, 2019
34
Backup Types FULL causes a full backup of the Catalogue and IQ Stores
INCREMENTAL makes a full backup of the Catalogue Store, and backs up all changes to the IQ Store since the last IQ backup of any type INCREMENTAL SINCE FULL makes a full backup of the Catalogue Store, and backs up all changes to the IQ Store since the last FULL IQ backup April 16, 2019
35
Backup Processing Backup backups committed data only IQ Store
Catalog Store Trans. Log Backup backups committed data only Backup begins and ends with a checkpoint Any data that is committed during the backup process will be included in the backup The transaction log is not backed up, it is deleted after a successful backup Issue Checkpoint 1. Write (Changed) Data To Tape(s) 4. Write Marker into Log 2. Write Catalog to Tape(s) 3. Write Marker into Log 5. Check for Completed TX. 6. If there are – backup the changed pages Then go to 5. 7a. Tape Drive(s) If there are no committed TX Checkpoint,Delete Log and Stop 7b. April 16, 2019
36
Transaction Log The log is deleted or renamed after a backup completes
Not needed for a Restore If there are ASA tables in the catalog store (other than system tables) you must retain the log to recover transactions for this data April 16, 2019
37
Restore Before Restore
You must have dba authority No users on the database The database server must be running To ensure exclusive access start the server with the -gd option (-gd dba) April 16, 2019
38
Restore Restrictions For incremental restores there must be no user access between restores Restore will create and drop dbspaces as required April 16, 2019
39
When to do Restores If the database is corrupt - you must do a restore
If the last backup was FULL restore the FULL backup only IF you have an INCREMENTAL SINCE FULL backup that precedes the database failure then restore the FULL followed by the INCREMENTAL SINCE FULL April 16, 2019
40
Checking the Database
41
sp_iqcheckdb Continued …
sp_iqcheckdb ‘mode target […] [resources resource-percent]’ Checks the consistency of (and optionally repair) a specified table, index, or the entire database Parameter string must be enclosed in single quotes (<255 bytes) mode: allocation | check | verify | repair target: database | table table-name | index index-name resource-percent: (optional) The resources percentage allows you to limit the CPU utilization of the database consistency checker This command performs database consistency checking. Details on this command are found in the Sybase IQ Troubleshooting and Error Message Guide Continued … April 16, 2019
42
sp_iqcheckdb - Check Mode
Reads all data pages and checks allocation problems and index inconsistencies Target may be the database, a table, an index If a table, it will check all indexes for that table Examples: sp_iqcheckdb ‘check database’ sp_iqcheckdb ‘check table t1’ sp_iqcheckdb ‘check index t1c1hng’ Continued … April 16, 2019
43
sp_iqcheckdb - Verify Mode
Performs inter-index consistency check as well as all checks performed in ‘check’ mode Contents of non-FP indexes checked against FP indexes Runs longer than Check Mode Examples: sp_iqcheckdb ‘verify database’ sp_iqcheckdb ‘verify table t1’ sp_iqcheckdb ‘verify index t1c1hng’ Verify checks the indexes to see if the value in the FP index is consistent with the value in the other indexes for the same column. This check may take some time depending on the number indexes to check. If an index name is not unique in the database you will need to fully qualify the index name as tablename.indexname. Continued … April 16, 2019
44
sp_iqcheckdb - Allocation Mode
Checks that each database block is allocated correctly according to internal page mapping structures (blockmaps) Does not check index consistency or all allocation structures Should be run after a forced recovery Runs fast than Check Mode Examples: sp_iqcheckdb ‘allocation database’ sp_iqcheckdb ‘allocation table t1’ sp_iqcheckdb ‘allocation index t1c1hng’ Continued … April 16, 2019
45
sp_iqcheckdb - Repair Mode
Runs detailed index checking and can repair many types of index inconsistencies No allocation checking Will report indexes repaired Must issue a COMMIT after running to complete repairs Database backup is recommended before running Examples: sp_iqcheckdb ‘repair database’ sp_iqcheckdb ‘repair table t1’ sp_iqcheckdb ‘repair index t1c1hng’ April 16, 2019
46
sp_iqcheckdb - Output Report
Reports an extensive list of statistics and all errors Errors are flagged with ‘*****’ If errors are reported some statistics may be inaccurate Output is reported to the IQ Message File “Future Version Errors” message This message indicates DDL was performed during the check Leaked Blocks will not be reported and any new objects will not be checked “Leaked Blocks” are blocks that are allocated but not used April 16, 2019
47
Checkdb Output ---------------------------------- ------- -------
DB Statistics Value Flags IQ DBCC Verification Summary Total Blocks In Database Blocks Marked as In Use 1026 Blocks Verified as In Use 1026 Blocks Detected as Duplicates 0 Blocks Detected as Unowned 0 Blocks Detected as Leaked 0 Tables Verified 9 Indexes Verified 74 Join Indexes Verified 0 April 16, 2019
48
Database Administration
New Option for IQ Monitor output files You may specify a directory for IQ Monitor output files DBCC Progress Messages Messages report progress of sp_iqcheckdb in the IQ Message File New database option DBCC_Log_Progress = 'On' Dbspace Management Enhancements Details will following slides April 16, 2019
49
Checking the database There are 3 procedures that check the system “metadata” in addition to SP_IQCHECKDB These are SP_IQDBSIZE SP_IQTABLESIZE SP_IQINDEXSIZE These procedures not only report on sizes, they check on the objects, and will fail if there is an error At this point the procedure SP_IQCHECKDB should be executed April 16, 2019
50
Warning Just because the procedures execute cleanly does not guarantee that the object is clean, but it is a good quick check If you suspect there is corruption in the database you should run SP_IQCHECKDB first But this will take time If SP_IQCHECKDB finds corruption then run the other procedures to try and localize the corruption – or run SP_IQCHECKDB with the fix options on April 16, 2019
51
Server/Database information
Everyone knows sp_iqstatus But also try sa_conn_properties – this does not just display the options list - there is a set of almost useful counters at the front of the report sa_db_properties -this gives you the database related information – again sometimes useful sa_eng_properties – this returns the engine related data April 16, 2019
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.