Subject Re: [Firebird-Architect] User name SYSDBA
Author Jim Starkey
Leyne, Sean wrote:

>My only concern is that the current implementation of Role, while SQL
>compliant is almost completely useless. Any user can login with any
>role -- so how can access to the SYSDBA functions be limited?... they
>The change of SYSDBA from a user to a "role" would be a good thing, only
>if the implementation uses a security "group" metaphor to which a user
>must be added as a member and not a property which is set as a value at
The SQL idea of role is substantially braindead. A more useful model is
the ability to for a user with a role to grant that role, with optional
grant rights, to another user. An even more useful model is allow a
user to change his roles within a session. An still more useful role
is to let a user activate or deactivate any roles from his set of
available roles.

For example, you, Sean, have the roles of Firebird admin, developer list
curmudgeon, and boss of Nickolay. You can switch among those roles
without going home, going to sleep, waking up, and driving back to
work. On a good day, you can probably do things that requires the union
of privileges from all three.


Jim Starkey
Netfrastructure, Inc.
978 526-1376