On 09/29/2015 01:38 PM, Wols Lists wrote: > On 29/09/15 11:20, Alex Peshkoff wrote: >> On 09/29/2015 01:11 PM, Paul Vinkenoog wrote: >>> Alex Peshkoff wrote: >>> >>>> Please look at this trivial sample. >>>> >>>> create table t (f int); >>>> grant select on t to public granted by abc; >>>> revoke all on all from abc; >>>> >>>> Currently privileges, granted by user ABC, remain as is after executing >>>> mentioned revoke operator. This looks like a bug for me, but before fixing >>>> (existing SQL operator behavior to be changed) I want to ask here - does >>>> anybody see problems with removing rights, granted by user, in subj? >>> Why is this a bug? 'Revoke all on all from abc' means to take away all >>> rights on any objects that were granted TO user ABC. IMO this should not >>> imply that any privileges granted to other users/roles BY user ABC are also >>> withdrawn. >> If all rights were revoked from ABC, how can rights, granted by him, >> remain in database? >> > Nothing specific to Firebird, but if ABC is a supervisor who has left > the company, do you really want to mess up all the people who used to > work for him? > > Or, rather more seriously, if ABC was the DBA, you can't leave him > there, it's a massive security risk, but if you deleted him as per your > rules, you'd end up with permissions of "everybody:none".
OK, I agree with such argument. So what should be better done: 1. Keep it as is 2. Add an option to revoke granted by ABC rights too ? ------------------------------------------------------------------------------ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel