[firebird-support] Re: Roles - Permissions - RDB$ADMIN
04.01.2014 14:03, Alan McDonald wrote: > That may work but it doesn't seem right that we have to query the grantor > before an RDB$ADMIN can issue the command. RDB$ADMIN, I thought, in theory, > was to be equal in all things to SYSDBA, and SYSDBA should also be able to > override a grant granted by some non SYSDBA user. Surely? AFAIR, SYSDBA cannot do it either. Or better say he can but the grantor must be known in advance. This is more or less by design, although I don't know whether it's required by the SQL spec or not. Dmitry
RE: [firebird-support] Re: Roles - Permissions - RDB$ADMIN
> 04.01.2014 11:51, Alan McDonald wrote: > > > Users with RDB$ADMIN granted to them have the ability to creates users. > > > > They can, of course, also grant other roles to users. > > > > But they cannot revoke roles already granted to a user by another > > RDB$ADMIN or SYSDBA since the RDB$GRANTOR is always a user not a role. > > Did you try the GRANTED BY clause in REVOKE? > > > Dmitry > That may work but it doesn't seem right that we have to query the grantor before an RDB$ADMIN can issue the command. RDB$ADMIN, I thought, in theory, was to be equal in all things to SYSDBA, and SYSDBA should also be able to override a grant granted by some non SYSDBA user. Surely? Alan
[firebird-support] Re: Roles - Permissions - RDB$ADMIN
04.01.2014 11:51, Alan McDonald wrote: > Users with RDB$ADMIN granted to them have the ability to creates users. > > They can, of course, also grant other roles to users. > > But they cannot revoke roles already granted to a user by another > RDB$ADMIN or SYSDBA since the RDB$GRANTOR is always a user not a role. Did you try the GRANTED BY clause in REVOKE? Dmitry
