I wrote:

> What I would like to do is write some code that will go through
> RDB$USER_PRIVILEGES and clean it up automatically, remove all
> the redundant entries and so on. I am wanting to clean-up user
> roles, all other privileges have been more tightly managed.

I finally got back to look at this problem again.

For anyone that is interested... the above suggestion is quite
safe because it quite simply does not work (there are system
triggers in place that prevent direct updates, giving you an
error if you try).

What does work is to make sure you do your revoke calls using
SYSDBA. Revoke as SYSDBA will revoke privileges that were
granted by other users - a feature that does not work for any
other user, not even the database owner.

The fact that only SYSDBA or the grantor can revoke a privilege
is stated Helen's book, but was something I had forgotten... I
had gotten used to relying on the database owner (not SYSDBA in
this case).

[The above is referring to an old FB v1.5 app... I believe it
all applies to recent FB versions too except that FB v2.5 is
getting the ability to specify a grantor.]

--
Geoff Worboys
Telesis Computing