Alex Peshkoff wrote:

> >>>> create table t (f int);
> >>>> grant select on t to public granted by abc;
> >>>> revoke all on all from abc;
> >>>>
> >>>> Currently privileges, granted by user ABC, remain as is after executing 
> >>>> mentioned revoke operator. This looks like a bug for me, but before 
> >>>> fixing (existing SQL operator behavior to be changed) I want to ask here 
> >>>> - does anybody see problems with removing rights, granted by user, in 
> >>>> subj?
> >>> Why is this a bug? 'Revoke all on all from abc' means to take away all 
> >>> rights on any objects that were granted TO user ABC. IMO this should not 
> >>> imply that any privileges granted to other users/roles BY user ABC are 
> >>> also withdrawn.
> >> If all rights were revoked from ABC, how can rights, granted by him,
> >> remain in database?
> >>
> > Nothing specific to Firebird, but if ABC is a supervisor who has left
> > the company, do you really want to mess up all the people who used to
> > work for him?
> >
> > Or, rather more seriously, if ABC was the DBA, you can't leave him
> > there, it's a massive security risk, but if you deleted him as per your
> > rules, you'd end up with permissions of "everybody:none".
> 
> OK, I agree with such argument.
> So what should be better done:
> 1. Keep it as is
> 2. Add an option to revoke granted by ABC rights too

If a user's rights need to be revoked because he leaves the company or his 
involvement with a certain database has ended, this shouldn't invalidate any 
rights he has granted to others in the past, because there's no reason to 
assume that these grants were unjustified.

This is the normal situation.

OTOH, if you throw someone out because you discovered that he is corrupt and 
untrustworthy, it's probably wise to revoke all rights granted by him, pending 
further investigation.

So a CASCADE option would be a welcome addition for such cases.

BTW Alex, you are right that revocations are supposed to cascade automatically 
- I looked it up in the Borland DataDef and LangRef. But I think it's a bad 
thing.

Cheers,
Paul

------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to