I took a look at the code and jrd/pwd.cpp has pretty much all the security contents commented out if EMBEDDED compiler definition is set. This seems to be inline with the docs which indicate that using embedded server doesn’t require username / pwd as all users have access if you have the fdb. This flag, -DEMBEDDED, is set on Windows but it is not on posix builds.  I took a look and there is some other code in server.cpp which will break if you set that compiler flag, but does that mean that embedded clients actually need the security database or just that it was never cleaned up on posix builds to be able to compile.

Thanks
Lee