Configuring user authorization

While authentication determines whether someone is a legal database user, authorization determines what operations can be performed by a user's identity.

Once you have set up authentication, you can configure authorization.

Derby offers two kinds of authorization:

Coarse-grained authorization, in which the Database Owner divides an application's users into two groups. One group has full authority to read and write all data. The other group merely has permission to read data.
Fine-grained authorization, in which the Database Owner and individual users issue SQL GRANT/REVOKE statements to declare who can read or write specific pieces of data and who can exercise specific application functions.

Configuring coarse-grained user authorization
You can manipulate coarse-grained access by using the builtin procedure SYSCS_SET_DATABASE_PROPERTY to set the database properties derby.database.fullAccessUsers and derby.database.readOnlyAccessUsers.
Configuring fine-grained user authorization
You can use fine-grained user authorization, also called SQL standard authorization, to restrict access to specific pieces of data.

Parent topic: Part Two: Configuring security for Derby

Related concepts

Basic security configuration tasks

Configuring database encryption

Using signed jar files

Configuring SSL/TLS

Understanding identity in Derby

Configuring user authentication

Configuring Java security

Restricting file permissions

Putting it all together