Subject Re: [firebird-support] Seperation of user creation and SYSBDA role
Author Nikolaus Kern
Hello Paul,

I was walking throught the documents and the webpages to trace the
situation down. What I understand is following. Quote from

Co-admins must be connected with the RDB$ADMIN role if they want to add,
modify or drop users through SQL. Since nobody can attach to the
security database, for this to work there must be at least one other
database where the co-admin has been granted that role. In regular
databases, this is done with the standard GRANT statement:

grant rdb$admin to bigbill

This draws following conlusion for me:
*) A Co-Admin needs to be DB$ADMIN in one DB to be able to
create/alter/delete users for any other DB.

If connect with user bigbill to the DB I get following result:

SQL> CONNECT localhost:beta user 'bigbill' password 'bigsekrit';
Database: localhost:beta, User: bigbill
SQL> CREATE USER tester PASSWORD 'tester';
Statement failed, SQLSTATE = 28000
add record error
-no permission for insert/write access to TABLE USERS

Is there a catch 22 (between Co-Admin and RDB$ADMIN) or what do I miss
here? Does the login of the user bigbill need any additional parameters ?

Any help is appriciated.


> > What I would like to achive is a user/role that can create/alter/delete
> > users but never change the datastructure of my dB (e.g. by using drop
> > view x).
> That's no problem. You can make someone co-admin so he can manage users,
> but this doesn't give him *any* rights in *any* regular database.
> Cheers,
> Paul Vinkenoog

[Non-text portions of this message have been removed]