Understanding identity in Derby

Derby provides two kinds of identity, system-wide identity and database-specific identity.

System-wide identity: Currently, any legal system-wide identity enjoys authorization to perform the following operations:
- Create databases
- Restore databases
- Shut down the Derby engine
Database-specific identity: If you are a legal identity in a specific database, you may enjoy the following rights:
- You can connect to that database, provided that coarse-grained connection authorization has not been set to noAccess.
- You can shut down that database, encrypt it, and upgrade it, provided that you are the Database Owner.
- You can create your own SQL objects and write data to your own tables, provided that your coarse-grained connection authorization has not been set to readOnlyAccess.
- You can access other SQL objects, provided that the owners have granted you fine-grained SQL access to those objects, and provided you have not been limited by coarse-grained readOnlyAccess.

The distinction between fine-grained SQL authorization and coarse-grained connection authorization is described in Configuring user authorization.

Users and authorization identifiers
User names within the Derby system are known as authorization identifiers. The authorization identifier is a string that represents the name of the user, if one was provided in the connection request.
Database Owner
The term Database Owner refers to the current authorization identifier when the database is created, that is, the user creating the database. If you use NATIVE authentication, or if you manually enable or plan to enable SQL authorization, controlling the identity of the Database Owner becomes important.

Parent topic: Part Two: Configuring security for Derby

Related concepts

Basic security configuration tasks