Security for external routines (UDRs)
External routines with shared libraries that are outside the database server can be security risks. External routines include user-defined routines (UDRs) and the routines in DataBlade® modules.
A database server administrator (DBSA), the user onedb by default, can implement security measures that establish which users can register external routines. This prevents unauthorized users from registering the external routines.
Use the IFX_EXTEND_ROLE configuration parameter to restrict the ability of users to register external routines.
The default value of the IFX_EXTEND_ROLE configuration parameter is 1 (or On).
When the IFX_EXTEND_ROLE configuration parameter is set to On:
- You can grant a user the privileges to create or drop a UDR that has the EXTERNAL clause.
- The EXTEND role is operational and you can grant a user the privileges to create or drop an external routine that has the EXTERNAL clause.
When you grant the EXTEND role to a specific user, the sysroleauth system catalog table is updated to reflect the new built-in role.
After you set the IFX_EXTEND_ROLE configuration parameter to On, a DBSA can use the following syntax to grant and revoke privileges to and from specific users.
GRANT extend To usernameREVOKE extend From username
If you do not want to restrict UDR access, set the IFX_EXTEND_ROLE configuration parameter to 0 (or Off). When the IFX_EXTEND_ROLE parameter is set to Off, the EXTEND role is not operational and any user can register external routines.
The dbimport utility, in particular, is affected when the IFX_EXTEND_ROLE configuration parameter is set to On because a user who uses dbimport to create a new database has not been given an extend role on that database.
For more information, see the HCL OneDB™ Guide to SQL: Syntax.