|Subject||Re: [IB-Architect] System predefined roles|
> When IB5 was created, roles were added. Apologies if I hurt someone here,Probably for the same reason why rdb$generators does not have field rdb$owner_name :-)
> but I can't understand why, despite other system tables, nobody thought on
> including a rdb$system_flag field in rdb$roles.
> Even rdb$functions has suchI see two problems with such approach:
> system flag "just in case" for possible enhancement. So, adding this field
> means an ODS upgrade.
> If we have some predefined, system roles, we could allow some "features" or
> "privileges" to be added to non-SYSDBA users without users having to fiddle
> with system tables directly. Almost any RDBMS I know has some predefined
> roles or user categories.
> Would some predefined roles fit into FB architecture nicely?
- both SQL standard and FB/IB implementation do not allow
to have more roles active simultaneously, so to use predefined
system roles along with other privileges would require
granting such role to other roles, which FB/IB do not support (yet).
- unlike other grants (select, execute, ...), using (predefined) roles
would require _always_ use some non-default role.
OTOH, implementing additional privileges via rdb$user_privileges
would require changing that table too (limited length of rdb$privilege).