Granting the EXTEND Role

If the IFX_EXTEND_ROLE configuration parameter is set to ON or to 1, only users who hold the EXTEND role (and who also hold the Resource privilege on the database and the Usage privilege on the programming language in which the UDR is written) can create or drop UDRs that are written in the C or Java™ external languages that can support shared libraries.

The Database Server Administrator (DBSA), by default user informix, can grant the EXTEND role to one or more users or to PUBLIC with the GRANT EXTEND TO user-list statement.

Because EXTEND is a built-in role, the SET ROLE statement is not required for the EXTEND role to have this effect. It is sufficient for a user to hold the EXTEND role without using SET ROLE to enable it.

For example, suppose that user max holds Resource privileges on the database, and has also been granted Usage privilege on the C language by the GRANT USAGE ON LANGUAGE C statement. The following statement grants the EXTEND role to user max:

GRANT EXTEND TO 'max';

This statement enables user max to create or drop UDRs that are written in the C language, without requiring max to issue the SET ROLE EXTEND statement. (Here the quotation marks preserve the lowercase letters in the authorization identifier max.) Before user max can create or drop UDRs written in the Java language, however, the TO clause of a valid GRANT USAGE ON LANGUAGE JAVA statement must specify either 'max', or PUBLIC, or the name of a user-defined role that max holds (and that max has used the SET ROLE statement to specify as his current role).

In databases for which this security feature is not needed, the DBSA can disable this restriction on who can create or drop external UDRs by setting the IFX_EXTEND_ROLE configuration parameter to OFF or to 0 in the ONCONFIG file. When IFX_EXTEND_ROLE is set to OFF or to 0, any user who holds the Resource privilege (and also holds the Usage privilege on the programming language in which the UDR is written) can create or drop external UDRs.

Resource privileges on the database and Usage privilege on the external language are required for any user to create or drop an external UDR, regardless of the IFX_EXTEND_ROLE configuration parameter setting, or whether the user holds the EXTEND role. User informix, the DBA, or any user who has received Usage privileges WITH GRANT OPTION can grant Usage privileges on the SPL, C, and Java languages to PUBLIC. See Database-Level Privileges for information about granting the Resource privilege. See Language-Level Privileges for information about granting Usage privileges on programming languages.