| Subject | Re: [firebird-support] no permission for read/select access to TABLE RDB$... |
|---|---|
| Author | Geoff Worboys |
| Post date | 2009-10-29T22:31:54Z |
Ramiro Barreca wrote:
problems; access one day that seemed to disappear the next.
Almost any permission change for this user would result in
everything magically working again.
The problem had never appeared running superserver, but when
we moved to classic this problem began to show occassionally.
. On this system permission maintenance was being done by
more than one user - neither were SYSDBA. (I was trying
to make a system that did not rely on SYSDBA for such
maintenance - was not entirely successful.)
. Also on this system there were times when several users
may be moved from one role to another... and I now think
the permission change may sometimes have been done while
some of the users were online.
What I found was multiple permission entries for the problem
users in RDB$USER_PRIVILEGES. Some "duplicates" were present
because they had been created by different users (and the
system intentionally keeps these separate). Some of the
other "duplicates" where present because old role assignments
had not been dropped (guessing this was for users that were
online at the time of a change). These "duplicate" records
should not have caused a lack of access (may have allowed too
much access), but were the only visible issue I could find
with the problem users.
To resolve I would revoke all the old privileges using SYSDBA
and then recreate the permissions required. (Some issues
surrounding the cleanup were discussed on this list in July.)
I have since instigated the procedure that only one logon is
used to maintain users and that the administrator ensures the
users are not online when their permissions are changed. This
seems to have at least reduced the problems we see.
I dont know if you may be seeing something similar under FB2,
but something else to investigate.
--
Geoff Worboys
Telesis Computing
> So, where to look for?On an older version of Firebird (v1.5) I had strange access
> Why suddenly some users report there is no read/access to
> RDB$RELATIONS and another system tables?
problems; access one day that seemed to disappear the next.
Almost any permission change for this user would result in
everything magically working again.
The problem had never appeared running superserver, but when
we moved to classic this problem began to show occassionally.
. On this system permission maintenance was being done by
more than one user - neither were SYSDBA. (I was trying
to make a system that did not rely on SYSDBA for such
maintenance - was not entirely successful.)
. Also on this system there were times when several users
may be moved from one role to another... and I now think
the permission change may sometimes have been done while
some of the users were online.
What I found was multiple permission entries for the problem
users in RDB$USER_PRIVILEGES. Some "duplicates" were present
because they had been created by different users (and the
system intentionally keeps these separate). Some of the
other "duplicates" where present because old role assignments
had not been dropped (guessing this was for users that were
online at the time of a change). These "duplicate" records
should not have caused a lack of access (may have allowed too
much access), but were the only visible issue I could find
with the problem users.
To resolve I would revoke all the old privileges using SYSDBA
and then recreate the permissions required. (Some issues
surrounding the cleanup were discussed on this list in July.)
I have since instigated the procedure that only one logon is
used to maintain users and that the administrator ensures the
users are not online when their permissions are changed. This
seems to have at least reduced the problems we see.
I dont know if you may be seeing something similar under FB2,
but something else to investigate.
--
Geoff Worboys
Telesis Computing