Version 16 modernises the platform in four big ways:
Support Packages up to build 1823 extend the picture with LDAP log-ins, disk sandboxing, RSA/AES crypto, multi-producer OData and more. Most benefits are turnkey after an upgrade + catalog rebuild, but security changes demand new GRANT/REVOKE statements and sometimes a review of certificate stores.
16 replaces the old "authorities & permissions" model with system privileges, roles and role administrators, giving one privilege per sensitive operation (eg ALTER ANY TABLE) and bundled roles for convenience.
New object-level privileges LOAD and TRUNCATE let you grant bulk-load or quick-purge rights without full DDL access.
GRANT / REVOKE syntax, system views (SYSROLEGRANT*, SYSGROUP*) and Sybase Central wizards were overhauled to manage the new model.
LDAP-based database logins arrive with new root-policy options (ldap_primary_server, auto-fail-back, etc.), DDL (CREATE LDAP SERVER … VALIDATE) and the SYSLDAPSERVER catalog.
Clients can also authenticate via PAM (Unix/Linux) or OS certificate stores; the server will look up trusted roots automatically when trusted_certificates=* is set.
DBAs can mint custom secure-feature keys that unlock only selected features for a user (sp_create_secure_feature_key, etc.).
Disk sandboxing (server -sbx, DISKSANDBOX on START DATABASE) confines read-write operations to the database directory and is itself protected by two new secure-features.
OpenSSL replaces Certicom; ECC is withdrawn, TLS 1.1 is added, and FIPS deployments must switch to AES-encrypted identity files.
New RSA helpers (sp_generate_key_pair, SECURE_SIGN_MESSAGE, …) enable message signing and asymmetric encryption inside the engine.
The cost-based optimizer now evaluates non-left-deep join trees, cutting run-time on star and snowflake queries.
Topology-aware scheduling binds workers to a single core per socket before spilling to siblings, reducing NUMA cross-talk; it is toggled via sa_server_option('TopologyScheduler','ON|OFF').
sa_cpu_topology and the -gta option let you hot-add or retire CPUs without restarting.
Native ROW() and ARRAY[…] columns, variables and domains replace VARCHAR-lists; they can be UNNESTed in SQL and passed as IN/OUT parameters.
Max packet size up from 16 kB to 65 535 bytes for both client libraries and TDS gateways.
Initial cache is now decoupled from the configured max cache, avoiding oversized warm-starts.
Domains can store ROW/ARRAY definitions; CREATE ROLE, ALTER ROLE, DROP ROLE manage custom roles.
Parameterised statements in the graphical plan viewer now display the parameterised form, easing plan-cache debugging.
Official drivers for Node.js ≤ v8 and PHP 7 ship out of the box; JDBC and ODBC gain TIMESTAMPADD/DIFF escapes and the optional ClientAutocommit connection flag.
A new HANAODBC server class makes SAP HANA a first-class remote source (statement snippets in § 1 of the PDF).
The database can now host multiple OData Producers directly, backed by an embedded Jetty HTTP stack; start-up is via -xs odata(...) or SQL DDL (CREATE ODATA PRODUCER).
Support Packages add optimistic concurrency (ETags), CSRF tokens, deep inserts and richer OSDL mapping.
webservice_sessionid_name lets you rename the cookie used for HTTP session tracking, avoiding clashes with proxies or SSO gateways.
Fine-grained event tracing logs system- or user-defined events to ETD files via CREATE TEMPORARY TRACE EVENT SESSION, secure-feature trace_system_event, and helper procedures (sp_trace_*).
The ageing MobiLink Monitor is retired; the new Profiler stores detailed timing/bottleneck data in a SQL Anywhere DB and offers blocking analysis.
dbunload -ss suppresses column-statistics generation, dbspawn returns an explicit EXIT_SERVER_NAME_IN_USE when a duplicate server starts, and createcert/viewcert support PKCS-1 private keys.
Disk sandboxing settings can be toggled live through sa_server_option / sa_db_option, protected by the manage_disk_sandbox secure feature.
A revamped Sybase Central manages roles/privileges, LDAP servers and text indexes on materialised views; Interactive SQL tests ODBC/UltraLite DSNs inline.
New server switches: -al for mixed DBA/standard log-in, -ufd for fatal-error policy, multiple -xs to listen on several protocols, and -edi for database isolation.
LDAP authentication hooks (ml_add_ldap_server) and relay-server parity with SQL Anywhere's new crypto stack.
Profiler-based diagnostics, TLS certificate options, offline-log retrieval through the server, and fresh CLI switches for mluser / mlreplay.
Android x86, UWP and AES-256 on BlackBerry are now included; syssyncresult surfaces user-auth messages to the client.
System procedures default to invoker-rights in new databases unless you specify SYSTEM PROCEDURE AS DEFINER, tightening privilege leakage.
Passwords are case-sensitive by default; minimum length rises to 3 chars.
ECC removal, bigger default cache minimum (64 MB) and packet-size limits affect mixed-version fleets.