Hello,

[snip]

>>One thing you can do to lock "sysdba" out, is to create a role
>>named "sysdba" -> this way, a sysdba log in will fail.
>
> I tried to create a role called sysdba and it would not let me do
> it. It says "This operation is not defined for system tables.
> unsuccessful metadata update. user name SYSDBA could not be used
> for SQL role." The steps I took were to log on as sysdba, create a
> new user, log on as the new user, then tried to create role called
> sysdba. Any suggestions?

Be careful with that. You have to do the following steps.

1) Migrate the owner of the database and database objects to a user
something different than SYSDBA

2) Connect with the new owner and execute:

insert into rdb$roles
(rdb$role_name, rdb$owner_name)
values
('SYSDBA', <the_new_owner>);

3) SYSDBA isn't able to connect now and the new owner can remove that
role again.


ad 1): This is the tricky part: Either re-create the database with the
new owner and pump data or use our tool FBOwnerMigrator which does the
needed modifications in the system tables. All at your own risk of
course, but I know a lot of people where it worked.



--
Best Regards,
Thomas Steinmaurer
LogManager Series - Logging/Auditing Suites supporting
InterBase, Firebird, Advantage Database, MS SQL Server and
NexusDB V2
Upscene Productions
http://www.upscene.com