When a new release is created, the SQL scripts contains statement like
‘grant … on … to public’
The role public is part of every user who can make connection with the database. This results in the effect that I’m not able to give developers rights to look into production databases, because if I give these rights, they are also able to mutate the content of the database.
In my configuration only the applicationpooluser of indicium/indicium universal/webgui needs rights to the database.
So, my request is not to grant rights to the role public, but to a rolename defined by myself. This gives me the ability to create a difference between the rights of the applicationpooluser and any other users I want to give access to the database.
To add to the idea: shouldn't the whole concept of granting permissions be dropped from the SF when using Indicium? The Pool User is db_owner as per the Thinkwise documentation, so I don't see a reason to explicitly grant additional rights as part of deployments.
I understand that the current behavior might still be useful for clients who don't use Indicium as service layer (yet), but could we in the meantime please have a way to turn this behavior OFF by Default (i.e. introduce a setting in the SF ASAP)?
FYI: we fixed this ourselves by adding a MANUAL stored procedure.
A new tag has been introduced to modify whether a
grant .. on .. public
will be added at the end of procedures such as creating tables or stored procedures. This line affects database authorization for functionality and upgrades.When you add the tag NO_GRANT_TO_PUBLIC to a specific project, this line will no longer be added to any procedure within the context of the project. Note that you need to generate the project's definition after adding the tag.
You can add the tag to the Software Factory's Advanced menu > Projects > tab Project tags. If added here, it will be applied to your entire project.