| Subject | Re: [firebird-support] Which is the reason for the clause GRANTED BY? |
|---|---|
| Author | W O |
| Post date | 2013-09-07T15:14:25Z |
Thank you very much Paul for answering.
In your document "Firebird 2.5 - Language Reference Update" the database owner, BOB, writes:
grant digger to frank with admin option granted by fritz
but, what if fritz doesnt agree with to be the grantor?
It can take him a long time for know that he appears as the grantor of the role. It seems more logic to me than if BOB grants the role to frank then BOB should be who rekove that role, or SYSDBA, but nobody more. In the shoes of fritz I would disagree with being the grantor.
Greetings.
Walter.
On Fri, Sep 6, 2013 at 7:31 PM, Paul Vinkenoog <paul@...> wrote:
Walter wrote:Of course, and that's the default.
> When a privilege is granted it seems logic to me to store it in the
> database with the current user as the grantor.
First, only the database owner and users with admin rights can do that - not just any grantor.
> With the GRANTED BY clause, the user who grants the privilege can have
> someone else registered as the grantor.
>
> Why?
>
> Which would be the reason for to do that?
One reason I can think of: to enable the user thus registered as grantor to revoke the privilege later if and when he sees fit. Without this option, it would take an admin/owner account to revoke the privilege again.
It's a bit like root creating files and then transferring ownership to a normal user.
Paul Vinkenoog