Sybooks says:
- You can revoke a role from a user while the user is logged in. Adaptive Server verifies a user’s activated roles before performing access checks.
However, not all role checks are performed all the time.
If the login that got the role revoked doesn't disconnect & reconnect it will still be able to do things requiring sa_role. (Same for granting the role, login must reconnect)
Example on ASE 15.7 SP122
session 1 login sa:
create login test_sa with passwd MyS3cretpw
go
grant role sa_role to test_sa
go
sessions 2 login test_sa:
select * from master..syslisteners -- normally not readable for non-sa
go
-- shows listener info
session 1:
revoke role sa_role from test_sa
go
-- role is revoked from test_sa
sessions 2:, login test_sa:
select * from master..syslisteners -- normally not readable for non-sa
go
-- still shows listener info, even without the sa_role granted
disconnect session 2, reconnect again with test_sa
select * from master..syslisteners
go
Select permission denied on some columns