>
> we develop a software package (with a firebird backend) for external
> clients. but we also use this software internally.
>
> i am being asked to secure our internal database so that the developers
> cannot have free reign to it. this is because management want to store
> sensitive data inside with confidence.
>
> the problem i have is that the SYSDBA connection credentials are held
> within our application codebase in order for the app to connect to the
> database etc.
>
> ive been trying to think through this problem and have come up with a
> couple of solutions:
>
> i) Somehow restrict access to the database at a windows file system
> level. so that even if the developers know the password they will have
> no read/write access the database. but i am thinking that if port 3050
> is open they could just gain access via an SQL client such as IBExpert
> etc? (this would be the best, least impact solution)
>
> 2) Change the Firebird user which the application uses to connect from
> SYSDBA to a new custom user that somehow restricts viewing of data???
> (I dont even know if this is possible)
>
> 3) Change the SYSDBA password and encrypt it with some salt do that the
> developers have no idea what the password is. (not great, as this would
> mean changing a lot of code on our part etc.)
>
> i was wondering if anybody could offer some advice, thanks
>
>

Martin you need to read this first and then you will ask some quite
different questions:
http://www.firebirdsql.org/manual/fbmetasecur.html
Also read the manuals about SQL ROLEs
You'll find a lot of doccumenation here:
http://www.firebirdsql.org/index.php?op=doc
Alan