| Subject | RE: [firebird-support] RDB$ADMIN and Role Revocation |
|---|---|
| Author | Alan McDonald |
| Post date | 2013-02-07T22:42:28Z |
> Hi Alan,role.
>
> > I know in the past that the grantor must be the one who revokes that
> >So we're saying SYSDBA has to first make system table enquiries to find out
> > But now we have RDB$ADMIN a user with role RDB$ADMIN can create,
> edit
> > and delete users and grant a role to another user.
> >
> > I would have thought SYSDBA or indeed any other RDB$ADMIN user could
> > revoke any role.
> >
> > Firebird 2.5.2 - this is not the case. I get an exception
> >
> >
> >
> > unsuccessful metadata update SYSDBA is not grantor of Role on MANAGER
> > to 0S0ASDFASDF.
>
> You have to use GRANTED BY here:
>
> revoke manager from 0S0ASDFASDF granted by rdb$admin
who granted the role and then make the adjustment to the revoke statement?
That doesn't sound right or basically logical to me. It's tough enough
already without SYSDBA being forced to jump thru all those hoops. SYSDBA can
delete everyone from the security database, and delete all the objects no
matter who made them but can't revoke a role until he finds out who granted
it?
Alan
>
>
> Paul Vinkenoog