> >>
> >> That's not a good solution.
> >> Is there any other idea?
>
> > no - not with fb2's new security model, unless you make the mods to
> > security2.fdb and distribute the modified version of it.
> > That's what I do.
> > OR
> > in the admin tool of choice, you register 2 servers, one as
> creator and one
> > as SYSDBA, use the owner registered server to do your dev work, and the
> > SYSDBA registered server to do the permissions.
>
> > if you use roles, then role admin is carried out without seeing WHO
> > (specific users) on the server. You can grant roles to users
> also without
> > seeing them, with a grant statement.
> > but yes, the full use of gui grant managers to individual users
> is not going
> > to work with the standard install unless you are SYSDBA.
>
>
> Thank you, but that's no solution for me as I don't give away the
> sysdba pw to others but db accounts.
>
> Due to the architecture of separating user and roles in different dbs
> I think I do have to build an own admin tool...

no admin tool (your roll-your-own or otherwise) will circumvent this
situation. You need a special build of the server if you want something
different here, OR, use the security mods I have indicated. But even with
the mods to security2.fdb, you are still not able to create users unless you
are SYSDBA. The db owner, however, can do all the roles stuff.
DBOwner will NOT see a list of users from security2.fdb unless you make them
public.
Alan

>
>
> --
> Björn Reimer, Datenbanken und DV-Verfahren