> Thanks Thomas!
>
> I played with FB more as you suggested and now I am more confused (which I easily do), or may be I am missing something (which I often do :)).
>
> So here is what I tried -
>
> 1. Created new user in my FB server using GSEC.
> 2. Created brand new database using the new user, using ISQL.
> 3. Then I ran your ROLE query to give my new login SYSDBA role.
> 4. And, as you had said, it sure did lock SYSDBA user out. I could only connect to the database using my new user.
> 5. Then I created another user in the FB server and tried to connect to the database. Surprisingly, the another user was granted access to the database.
>
> Seems like even though we lock the SYSDBA out of the database as you mentioned. One can always copy the database into different server and create some other user, other than SYSDBA, and use that user to access the database.

Right, although, unlike SYSDBA, other users don't have access to tables,
... if they didn't get the SQL privileges granted. They can create new
objects like tables, views, ... though.

With Firebird 2.1, you could create an ON CONNECT trigger which throws
an exception if the connected user is different to a string literal.

But again, AFAIK with isql you can connect to the database suppressing
database triggers.

There is no ultimate solution yet. Things might get better if Firebird
support some kind of embedded authentication storing user/password
inside the database.


--
Best Regards,
Thomas Steinmaurer
LogManager Series - Logging/Auditing Suites supporting
InterBase, Firebird, Advantage Database, MS SQL Server and
NexusDB V2
Upscene Productions
http://www.upscene.com
My blog:
http://blog.upscene.com/thomas/