Hi Alan

You are right, when modified security2.fdb to allow adding new users, then it's a feature I have created.

My user to add and delete users is the ADMINISTRATOR. So I have added the following grant to the security2.fdb by moving it from the firebird root directory and moving it back afterwards:

GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES ON USERS TO ADMINISTRATOR;

But why does the security service block the access only in one direction. Am I missing some GRANTS or are there some switches in the firebird.conf file?

Christian

--- In firebird-support@yahoogroups.com, "Alan McDonald" <alan@...> wrote:
>
> > Hi security experts
> >
> > With Firebird 1.5 I have modified the security.fdb to let an non-SYSDBA
> > user add and delete USERS.
> >
> > The same modification works with Firebird 2.1.2 and security2.fdb only
> > for adding users with an non-SYSDBA user. Deleting is not possible,
> > because a non-SYSDBA user can not see other users.
> >
> > Two questions:
> > - Is this a bug or a feature that a non-SYSDBA user can ad users?
>
> If you've modified security2.fdb to allow adding new users, then it's a
> feature YOU'VE created.
>
> > - Can I configure firebird 2.1, so that a non-SYSDBA user (with the
> > needed grants in the security2.fdb) can delete users?
>
> You can try... You can mess with security2.fdb as much as you like but since
> there is no direct access to the database file itself, you are still at the
> mercy of what the security service permits in the way of access and
> modification.
> I'd like to know what mods you have made to allow adding users from a
> non-SYSDBA account.
>
> Alan
>