>At 09:34 AM 05-06-01 -0700, Pete Morris wrote:
>...
> >3) Create a user "pete_m" with no permissions to any databases
> >4) Log in as pete_m
> >5) Extracted the meta data for the new database without problems
> >6) Added a new table to the database without problems

At 06:41 PM 6/5/2001 +1000, Helen Borrie wrote:

>I've just done exactly the same thing on a 5.6 test database here.
>This is NOT a Good Thing(TM).

Turns out that if you grant select to public on rdb$relations, you
stop users other than the owner from creating new tables ... through the GDML
interface. For reasons obscure, the SQL DDL interface ignores the grant.

Why is a grant required at all? The system relations still have a vestigial
relationship with the old GDML security, under which everything was permitted
unless explicitly prohibited. SQL security, the default on user tables,
prohibits everything that is not permitted. By granting select to public,
I switch RDB$RELATIONS from GDML to SQL security - a change that GDML notices
but SQL does not. Mysterious are the ways...

Regards,



Ann
www.ibphoenix.com
We have answers.