Subject Re: [firebird-support] RDB$ADMIN ROLE in security databese
Author Helen Borrie
Hello Neagu,

Monday, November 30, 2015, 3:58:51 PM, you wrote:

> Hi

> Firebird 2.5 introduces the RDB$ADMIN ROLE. In the security database,
> it means, the ability to create, drop and alter user accounts. For this
> we can use SQL command CREATE or ALTER USER with parameter GRANT/REVOKE
> ADMIN ROLE to manage users RDB$ADMIN ROLE in the security database.
> When I connect to a database with SYSDBA, I can obtain a list of users,
> using an SQL SELECT from RDB$USER_PRIVILEGES, but how can i know if a
> user have or not the ADMIN ROLE in the security database ?

When you use CREATE / ALTER USER, even though you are logged into a
regular database, you are actually working in the security database,
to which you otherwise do not have SQL access.

When you query RDB$USER_PRIVILEGES, you are looking at the privileges
that are stored in the current database (CURRENT_CONNECTION). You
cannot see privileges that apply to other databases, including

You can find out which users have been granted RDB$ADMIN in the
security database, using the gsec tool. Here we are in Windows but the
output looks the same in Linux or MacOSX.

In isql, logged in as SYSDBA:
SQL> create user helen password 'rapunzel' GRANT ADMIN ROLE;
SQL> commit;
C:\Programs64\Firebird_2_5\bin>gsec -user sysdba -password U65rtwer
GSEC> display
user name uid gid admin full name
SYSDBA 0 0 Sql Server Administrator
JOEBLO 0 0 Joe Bloggs
HELEN 0 0 admin