> 04.01.2014 11:51, Alan McDonald wrote:
>
> > Users with RDB$ADMIN granted to them have the ability to creates users.
> >
> > They can, of course, also grant other roles to users.
> >
> > But they cannot revoke roles already granted to a user by another
> > RDB$ADMIN or SYSDBA since the RDB$GRANTOR is always a user not a role.
>
> Did you try the GRANTED BY clause in REVOKE?
>
>
> Dmitry
>

That may work but it doesn't seem right that we have to query the grantor
before an RDB$ADMIN can issue the command. RDB$ADMIN, I thought, in theory,
was to be equal in all things to SYSDBA, and SYSDBA should also be able to
override a grant granted by some non SYSDBA user. Surely?
Alan