firebird-support - Re: [firebird-support] Re: FB 2.0: What is the SQL to allow users to change their password?

Subject	Re: [firebird-support] Re: FB 2.0: What is the SQL to allow users to change their password?
Author	Martijn Tonies
Post date	2007-01-31T11:34:10Z

> > > what annoys me a little is that DBOwners cannot use GUI tools to grant
> > > objects to users, since gui tools rely on DBOwners being logged onto

the

> > > database and once logged on, other users are not visible (in the GUI
> > tools).
> > > Only SYSDBA will see a full list of users.. So the only way this is
> > possible
> > > is to modify security2.fdb so the view reads
> > > ...
> > > WHERE CURRENT_USER = 'SYSDBA'
> > > OR CURRENT_USER = RDB$USERS.RDB$USER_NAME
> > > OR CURRENT_USER = 'MYDBOWNER'
> > > ... OR (keep adding database owners)...;
> > >
> > > Then you get the GUI grant manager tools working for the database

which

> > has
> > > been created by MYDBOWNER.
> >
> > The list of users is probably fetched by using the Services API.
>
> the services API will return users from the view,... so logged in as
> MYDBOWNER, the security service will return all users if the mods above

are

> applied (default distro will only return yourself unless you're SYSDBA).

The

> mods above a very difficult to apply now that direct access is vorboden...
> you have to stop the server, copy the security2.fdb, start server, make
> changes, stop server, copy back, start server again...

Not really an option.

> > What do you propose as a solution?
> >
>
> without a clear idea of where the security changes are going i.e. how they
> are to be implemented, it's difficult to propose a solution.
> per database security will no doubt introduce yet another layer of

difficult

> workarounds for certain tasks but does anyone (including Alex Peshkov)

have

> an implementation guide to follow on this?
> I'm not familiar with DBWorkBench grant manager - how does it wrestle with
> this task?

If you used a sysdba password when registering the server, it will use that
(for each database) to get a list of users know to the server. Enter it once
and it will be used wherever the Services API needs it.

> In IBExpert you need to design with a connection to the DB as DBOWNER, but
> you need to either have a separate connection as SYSDBA to do the grants,

> you make the mods above, OR you do it all via ISQL command line grant
> statements.
>
> Seems to me that we need a way that SYSDBA can add other SYSDBA type

users,

> special users who you declare as DBOWNERs i.e. used to created databases,

> these users have exceptional rights or are added to the permissions

allowed

> over the view.
> I know there is constant talk of a need to have more than one SYSDBA and

> bar access to databases from SYSDBA. Hopefully somewhere this is all being
> talked about, I've not seen any conversations on devel or architect lists.

Martijn Tonies
Database Workbench - tool for InterBase, Firebird, MySQL, NexusDB, Oracle &
MS SQL Server
Upscene Productions
http://www.upscene.com
My thoughts:
http://blog.upscene.com/martijn/
Database development questions? Check the forum!
http://www.databasedevelopmentforum.com