I have been using RDB$ADMIN role for a while.

I can grant it to users, they then have the ability to create and delete other users and grant roles to them.

But I see now that RDB$ADMIN is not enough to revoke roles from all users

I get an exception saying the USERNAME was not the user which granted ROLENAME to OTHERUSERNAME

Now it’s a task to find the user who actually granted the role

SYSDBA does not overwrite this either. SYSDBA logged as any role including RDB$ADMIN does not give me the ability to revoke the role. It must be the user (not just the RDB$ADMIN role) who granted the role.

So is this the way it’s meant to happen?

Can anyone tell me which system table gives me a clue as to who granted the role so I can get that person to login and revoke it?

Regards

Alan McDonald