User who is allowed to manage other users must have this ability WITHOUT need to grant him RDB$ADMIN role (which is related to admin tasks in "main" database rather than in security_db) -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Key: CORE-5770 URL: http://tracker.firebirdsql.org/browse/CORE-5770 Project: Firebird Core Issue Type: Improvement Components: Engine, Security Affects Versions: 4.0 Beta 1 Reporter: Pavel Zotov Priority: Minor It will be good if SYSDBA may to grant other user (say, "foo") to manage other users but do this WITHOUT granting him rdb$admin role. Currently it is impossible. case-1: ====== set list on; connect 'localhost:employee' user sysdba password 'masterkey'; create or alter user foo password '123' using plugin Srp grant admin role; create or alter user bar password '456' inactive using plugin Srp; commit; connect 'localhost:employee' user foo password '123'; select current_user as who_am_i, current_role as whats_my_role from rdb$database; WHO_AM_I FOO WHATS_MY_ROLE NONE commit; alter user bar active using plugin Srp; ---------- this statement relates to security_db where 'foo' was granted to work as admin Statement failed, SQLSTATE = 28000 modify record error -no permission for UPDATE access to COLUMN PLG$SRP_VIEW.PLG$ACTIVE commit; case-2: ====== connect 'localhost:employee' user sysdba password 'masterkey'; create or alter user foo password '123' using plugin Srp grant admin role; grant rdb$admin to foo; create or alter user bar password '456' inactive using plugin Srp; commit; connect 'localhost:employee' user foo password '123' role 'RDB$ADMIN'; select current_user as who_am_i, current_role as whats_my_role from rdb$database; WHO_AM_I FOO WHATS_MY_ROLE RDB$ADMIN commit; alter user bar active using plugin Srp; -------------------------- [1] commit; connect 'localhost:employee' user sysdba password 'masterkey'; drop user foo using plugin Srp; drop user bar using plugin Srp; commit; Statement [1] passed only when 'foo' has TWO roles: 1) admin in security_db and 2) rdb$admin in employee But this statement (alter user ...) has not anything with 'employee' database. Granting role 'rdb$admin' looks here as excessive and even dangerous: we allow to foo make admin tasks not only in security_db but also in the "main" database. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://tracker.firebirdsql.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel