Security bug fixes Corrects a number of bugs in security and SQL DDL. 1. 1439316: Internal error when creating view with sequence. 2. 1441825: User in role-owned schema is not given grant option. 3. 1447328: DB__ROOT required to revoke component privileges by other users. 4. 1447330: DB__ROOT required to revoke object and column privileges granted by other users.
In addition, Launchpad bugs 1350627 and 1438886 were tested and found to no longer be a defect.
Two new component-level privileges were added, MANAGE and MANAGE_PRIVILEGES.
Users who have the MANAGE_PRIVILEGE component-level privilege can grant and revoke privileges at the schema, object, and column level on behalf of other users and roles. Users who have the MANAGE_PRIVILEGE component-level privilege can also grant "WITH GRANT OPTION" any privilege they have.
A user granted the MANAGE privilege has all the MANAGE_* privileges, which includes MANAGE_COMPONENTS, MANAGE_LIBRARY, MANAGE_LOAD, MANAGE_PRIVILEGES, MANAGE_ROLES, MANAGE_STATISTICS, and MANAGE_USERS.
Column-level privileges - part 2 Support for column-level privileges will be in multiple deliveries.
This delivery add the following portions: 1. DML operations (SELECT, INSERT, UPDATE) now recognize granted column-level privileges. 2. CREATE VIEW now recognizes granted column-level privileges. 3. Revoke of object-level privileges now revokes the corresponding column-level privilege.
Missing functionality: 1. Privileges can be granted to roles and revoked from roles, but REVOKE ROLE does not consider column-level privileges when determining if an object depends on a role's granted privileges. 2. Column-level revoke does not enforce RESTRICT, i.e., privileges may be revoked even if there are dependent privileges. 3. ALTER TABLE DROP COLUMN does not remove associated column-level privileges, nor does it check for dependent objects.