> With the scenario in which the app server passes role names (the
> first one in my last post), there is no need to re-authenticate. So
> role name(s) can be passed as parameter to _each_ query.

Yes, this would be also possible.

> But, taking into account that today in Firebird permissions are
> checked when a request is prepared ...

That's the problem. And doing it other way would cost some CPU cycles,
we have to check how many.

Roman