Skip to Content

ASE 16 encrypted database

Apr 04, 2017 at 08:58 PM


avatar image


When using the new SAP ASE 16 full encrypted database option:

-I assume that decrypt permission should be granted to a user/group ?

Thank you



10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
Mark A Parsons Apr 17, 2017 at 02:52 PM

Database level encryption is used to secure the database while 'at rest', ie, pages out on disk are encrypted, pages in a db dump are encrypted. Primary objective is to make sure someone cannot retrieve data by reading directly from a database device or a db dump file.

As pages are read from disk into cache they are decrypted. While pages are in the dataserver (ie, in cache) they remain/are in an unencrypted state; anyone with permissions to access a table/column/row can see the (unencrypted) data. As pages are written to disk they are encrypted.

If you want to limit access to data (either at the table, column or row level) then you need to use another form of security (eg, grant/revoke, RLAC, column level encryption).

10 |10000 characters needed characters left characters exceeded
Ankitha Malalur Gopal
Apr 14, 2017 at 07:01 AM

Hi Jose,

There is no need for you to grant the decrypt permission to a user or group.

Best Regards,


SAP Product Support

10 |10000 characters needed characters left characters exceeded
Jose Torres Apr 17, 2017 at 01:55 PM

Thank you Ankitha,

So how can access to data can be restricted.?

For example:

assuming db_1 is encrypted then

t1 has 5 cols, cols #1 to #4 can be accessed by user_1, but col#5 not.

Thank you


Show 2 Share
10 |10000 characters needed characters left characters exceeded


Use grants for table + column or create views specific to group of users.

Column level grants :

grant select on t1 (col#1, .... col#4) to user_1

Using View

Create view vw_4_user_1 as select col#1, ... col#4 from t1.

Then grant access to user_1 on this view.

Grant select on vw_4_user_1 to user_1.



Thanks a lot Avinash.

So in the end, if I use encrypted cols option I can use both features in case needed?(db+col encryption)