The following list describes the different types of users that are associated with a zone:
- zone creator
Creates zones and assigns a user or a database as the zone root. Zone creators cannot access the objects or data in the zones that they create. Any user who has the ZONE rights with the WITH GRANT OPTION privilege can grant CREATE ZONE and DROP ZONE privileges.
Only the zone’s creator can add a root and primary DBA to a zone or drop a root and primary DBA from a zone.
If the zone creator creates the zone with a user as root, then the zone creator must have DROP USER privilege on that user. Once the root is assigned to a zone, all privileges on the root user are revoked from the zone creator.
If the zone creator creates the zone with a database as root, then the zone creator must have CREATE USER privilege on the database that becomes a root. Once the root is assigned to a zone, all privileges except CREATE USER privilege on the root database are revoked from the zone creator.
A zone creator may grant zone access to users or roles that exist outside of the zone and is also responsible for revoking access to the zone.
A zone creator must have CREATE ZONE and DROP ZONE privileges. A zone creator cannot be dropped until the zone itself is dropped.
Zone creators who create multiple zones function as system-level zone administrators for those zones.
- zone root
The empty database or user on which the zone creator creates a zone.
A zone creator creates the zone and associates a database or a user as its root. The zone root database or user must be empty. It cannot have any objects, users, databases, roles, or profiles associated with it. It also cannot have privileges on any other user. Similarly, no user should have any privileges on root except for the zone creator, owner of the root, and creator of the root.
If the zone root is a database, the zone creator must subsequently assign a primary DBA to the zone. If the zone root is a user, that user automatically becomes the primary DBA for the zone.
- primary zone DBA
A primary zone DBA acts as the zone’s database administrator.
The zone creator creates the primary zone DBA. The primary zone DBA can create zone users , databases, objects, and zone-level objects such as roles and profiles.
- zone user
A permanent database user with privileges in a zone. A zone user is a user that is created by another user in the zone, under the hierarchy of the zone root. Zone users are created using the existing CREATE USER syntax. A zone user cannot be a zone guest of another zone.
Only zone users can grant privileges on database objects within the zone to zone guests.
- zone guest
A zone guest is a role or user that is located outside of the zone but is granted privileges to create and access objects in the zone where he is a guest. A zone can have many zone guests and a user or a role can be a guest of more than one zone.
Zone guests cannot grant privileges on zone objects to other users.
To make an external LDAP user a zone guest, the zone creator can use the GRANT ZONE syntax to grant zone access privilege to an external role. External users that log on with that role are able to access the zone objects that they have privileges on.
Only the zone users can grant privileges on database objects in a zone to zone guests. Zone users cannot grant privileges to zone guests with the WITH GRANT OPTION privilege.
Zone guests with the required privileges can create users, databases, and TVM objects inside the zone but they cannot add another guest to the zone.
Zone guests can create views, triggers, and macros on the zone objects in their perm space.