firebird-support - Re: [firebird-support] RDB$ADMIN ROLE in security databese

Subject	Re: [firebird-support] RDB$ADMIN ROLE in security databese
Author	Neagu
Post date	2015-11-30T13:08:09Z

Thank you for your answer.
What i want to do is to manage users, like gsec, but with my application. With earlier Firebird versions, i do that, using service API.
But in service API, when i call isc_service_querry with isc_info_svc_get_users parameter, i retrieve only the next information: USERID,GROUPID,USERNAME,FIRSTNAME,MIDDLENAME,LASTNAME and nothing about ADMIN ROLE. The same, if i want to add or modify users with API functions. I don't know how i can grant or revoke admin role. In this case i tend to belive then my API call specifications would be obsolete. This is the reason for which i try to do this things with SQL commands.

On 11/30/2015 6:05 AM, Helen Borrie helebor@... [firebird-support] wrote:

Hello Neagu,

Monday, November 30, 2015, 3:58:51 PM, you wrote:

> Hi

> Firebird 2.5 introduces the RDB$ADMIN ROLE. In the security database,
> it means, the ability to create, drop and alter user accounts. For this
> we can use SQL command CREATE or ALTER USER with parameter GRANT/REVOKE
> ADMIN ROLE to manage users RDB$ADMIN ROLE in the security database.
> When I connect to a database with SYSDBA, I can obtain a list of users,
> using an SQL SELECT from RDB$USER_PRIVILEGES, but how can i know if a
> user have or not the ADMIN ROLE in the security database ?

When you use CREATE / ALTER USER, even though you are logged into a
regular database, you are actually working in the security database,
to which you otherwise do not have SQL access.

When you query RDB$USER_PRIVILEGES, you are looking at the privileges
that are stored in the current database (CURRENT_CONNECTION). You
cannot see privileges that apply to other databases, including
security2.fdb.

You can find out which users have been granted RDB$ADMIN in the
security database, using the gsec tool. Here we are in Windows but the
output looks the same in Linux or MacOSX.

In isql, logged in as SYSDBA:
...
SQL> create user helen password 'rapunzel' GRANT ADMIN ROLE;
SQL> commit;
...
C:\Programs64\Firebird_2_5\bin>gsec -user sysdba -password U65rtwer
GSEC> display
user name uid gid admin full name
----------------------------------------------------------
----------------
SYSDBA 0 0 Sql Server Administrator
JOEBLO 0 0 Joe Bloggs
HELEN 0 0 admin
GSEC>

Helen

This email has been sent from a virus-free computer protected by Avast.
www.avast.com