Hi Alan, > I know in the past that the grantor must be the one who revokes that role. > > But now we have RDB$ADMIN a user with role RDB$ADMIN can create, edit and > delete users and grant a role to another user. > > I would have thought SYSDBA or indeed any other RDB$ADMIN user could revoke > any role. > > Firebird 2.5.2 - this is not the case. I get an exception > > > > unsuccessful metadata update SYSDBA is not grantor of Role on MANAGER to > 0S0ASDFASDF.
You have to use GRANTED BY here: revoke manager from 0S0ASDFASDF granted by rdb$admin Paul Vinkenoog