> 04.01.2014 11:51, Alan McDonald wrote: > > > Users with RDB$ADMIN granted to them have the ability to creates users. > > > > They can, of course, also grant other roles to users. > > > > But they cannot revoke roles already granted to a user by another > > RDB$ADMIN or SYSDBA since the RDB$GRANTOR is always a user not a role. > > Did you try the GRANTED BY clause in REVOKE? > > > Dmitry >
That may work but it doesn't seem right that we have to query the grantor before an RDB$ADMIN can issue the command. RDB$ADMIN, I thought, in theory, was to be equal in all things to SYSDBA, and SYSDBA should also be able to override a grant granted by some non SYSDBA user. Surely? Alan