--- In Firebird-Architect@yahoogroups.com, "Leyne, Sean" <Sean@B...>
wrote:

> Christian,
>
> > As a chosen combination of already granted roles isn't of relevance
> > regarding security, why not allow the user to define the needed
> > selection her-/himself, e.g. by transferring a comma-separated list of
> > roles, or - for convenience - alternatively an asterisk, if an
> > inclusion of them all for the least restricted db access is desired.
>
> Wouldn't this allow the user to 'promote' himself to SYSDBA and do
> anything he wanted?

No - a requested role must always be checked against the roles that
the user has been assigned.