> > Now it's a task to find the user who actually granted the role
> >
> > SYSDBA does not overwrite this either. SYSDBA logged as any role
> > including RD B$ADMIN does not give me the ability to revoke the role.
> > It must be the user (not just the RDB$ADMIN role) who granted the role.
>
> It may be SYSDBA or RDB$ADMIN as well, provided that you specify the
> GRANTED BY clause for the REVOKE statement.

So I need to interrogate the privileges to see who the GRANTOR was before I
can use RDB$ADMIN?
I think this layer is unnecessary from security standpoint. If RDB$ADMIN is
supposed to equivalent to the old SYSDBA, and can grant a role, then this
person should have the ability to revoke a role granted by any other user.
Alan

>
> > So is this the way it's meant to happen?
>
> Yes.
>
> > Can anyone tell me which system table gives me a clue as to who
> > granted the role so I can get that person to login and revoke it?
>
> In RDB$USER_PRIVILEGES, search for 'M' (membership) privileges.


>
>
> Dmitry
>
>
>
>
> ------------------------------------
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> ++++++++
>
> Visit http://www.firebirdsql.org and click the Resources item on the main
> (top) menu. Try Knowledgebase and FAQ links !
>
> Also search the knowledgebases at http://www.ibphoenix.com
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> ++++++++
> Yahoo! Groups Links
>
>
>