13.10.2013 16:09, Alan McDonald wrote:

> I have been using RDB$ADMIN role for a while.
>
> I can grant it to users, they then have the ability to create and delete
> other users and grant roles to them.
>
> But I see now that RDB$ADMIN is not enough to revoke roles from all users
>
> I get an exception saying the USERNAME was not the user which granted
> ROLENAME to OTHERUSERNAME
>
> Now it’s a task to find the user who actually granted the role
>
> SYSDBA does not overwrite this either. SYSDBA logged as any role
> including RD B$ADMIN does not give me the ability to revoke the role. It
> must be the user (not just the RDB$ADMIN role) who granted the role.

It may be SYSDBA or RDB$ADMIN as well, provided that you specify the
GRANTED BY clause for the REVOKE statement.

> So is this the way it’s meant to happen?

Yes.

> Can anyone tell me which system table gives me a clue as to who granted
> the role so I can get that person to login and revoke it?

In RDB$USER_PRIVILEGES, search for 'M' (membership) privileges.


Dmitry