At 11:31 a.m. 6/06/2013, micheus.vieira wrote:

>I was working on a database grants (Firebird 2.5.2) and I just noticed
>that it's possible to assign an role to a user that not exists without
>raise any exception.
>Is that supposed to be right?

Yes; as long as the security database applies to any user database on the server, i.e., in all released versions of Firebird.

Remember, a ROLE (like all SQL privileges) is a database object (inside a specific database, doesn't cross database boundaries), while a USER is a server object (a record inside the security database). You can't connect to a database using a role alone: a role is NOT a user group. You get onto the server using valid USER credentials and you get access to objects inside specific databases by way of SQL privileges.

In Firebird 3 comes the capability to have a security database that applies to only one database. In that configuration, you'll need to be less sloppy about the user/privilege mappings in your security design or you're likely to have a few unhappy users. ;-)


Helen Borrie, Support Consultant, IBPhoenix (Pacific)
Author of "The Firebird Book" and "The Firebird Book Second Edition"
http://www.firebird-books.net
__________________________________________________________________