Subject Re: [IB-Architect] System predefined roles
Author Ivan Prenosil
> When IB5 was created, roles were added. Apologies if I hurt someone here,
> but I can't understand why, despite other system tables, nobody thought on
> including a rdb$system_flag field in rdb$roles.

Probably for the same reason why rdb$generators does not have field rdb$owner_name :-)

> Even rdb$functions has such
> system flag "just in case" for possible enhancement. So, adding this field
> means an ODS upgrade.
> If we have some predefined, system roles, we could allow some "features" or
> "privileges" to be added to non-SYSDBA users without users having to fiddle
> with system tables directly. Almost any RDBMS I know has some predefined
> roles or user categories.
> Would some predefined roles fit into FB architecture nicely?

I see two problems with such approach:

- both SQL standard and FB/IB implementation do not allow
to have more roles active simultaneously, so to use predefined
system roles along with other privileges would require
granting such role to other roles, which FB/IB do not support (yet).

- unlike other grants (select, execute, ...), using (predefined) roles
would require _always_ use some non-default role.

OTOH, implementing additional privileges via rdb$user_privileges
would require changing that table too (limited length of rdb$privilege).