>>Any other suggestion of creating a read only user another way?

>There is no such animal as a "read-only user". If you allow a user to get past the server's authentication
>gateway, that user has access to all databases under that server's control. However, unless the user is the
>SYSDBA, it has no privileges in any database.

...except creating new objects, which (s)he will get full control over.

What we do, is to hide the password from our users. The only way to connect, is to apply an encryption algorithm to the password before connecting. This way, the users can only connect through our applications (unless they get hold of the encryption algorithm), not through isql, IB_SQL etc. Though, we're lucky to only write programs for use in-house and control all servers ourselves.

There's no way to prevent a user from creating things in a database if (s)he's got access to her/his own username and password (and I think that's a valid statement for Fb 2.0, albeit I'm still using 1.5 myself). If your users have some knowledge of SQL and want to add tables with gazillions of rows, you cannot prevent them.
Likewise, if your users have physical access to your database file, they can just copy the file to a computer where they know the SYSDBA password for Firebird and get full access to anything in your database.

Set