Preparing for Role Separation (UNIX)

You can use role separation to allow members of the DBSA group to run Enterprise Replication commands, in addition to the user informix. For some Enterprise Replication commands, you must grant the DBSA user additional permissions on tables or files. For non-root servers, role separation is not supported. Only the owner of a non-root server is allowed to run the Enterprise Replication commands that require additional permissions for a DBSA.

The DBSA user who runs Enterprise Replication commands must be a member of the DBSA group on all of the replication servers in the domain.

The following table describes the permissions that are needed for each command.

Table 1. Permissions for the DBSA user
Command Type of Permission Tables, Files, or Database

cdr check replicate

cdr check replicateset

cdr define replicate

cdr define replicateset

cdr define template

cdr realize template

cdr sync replicate

cdr sync replicateset

INSERT

UPDATE

DELETE

 The tables that participate in replication. Must be granted on all replication servers in the domain.

The following commands with the --background option:

  • cdr check replicate
  • cdr check replicateset
  • cdr sync replicate
  • cdr sync replicateset
 CONNECT or INSERT, depending on the object

sysadmin database: CONNECT

ph_task table in the sysadmin database: INSERT

Must be granted on the database server from which the command is run.

cdr define repair

cdr start repair

cdr stop repair

cdr delete repair

The following commands with the --syncdatasource option:

  • cdr realize template
  • cdr start replicate
  • cdr start replicateset
 INSERT, UPDATE, or DELETE, depending on the table

The following syscdr tables:

  • rsncjobdef_tab: INSERT, UPDATE, DELETE
  • rsncjobdef: UPDATE
  • rsncprocnames_tab: INSERT
  • rsncjobdeps: INSERT

Must be granted on all replication servers in the domain.

cdr repair

cdr view atsdir

cdr view risdir

 read ATS and RIS files

Must be granted on the database server on which the files are located.

To update the permissions on a table or database, use the GRANT statement. For example, the following statement grants INSERT and UPDATE permissions on the rsncjobdef_tab table to the DBSA member with the user name of carlo:

GRANT INSERT, UPDATE ON rsncjobdef_tab TO carlo;

For more information about the GRANT statement, see the HCL OneDB™ Guide to SQL: Syntax.

To update the permissions on ATS and RIS files, use an operating system command, such as the chown UNIX™ command.