Since Firebird 3 there is the ALTER ANY ROLE DDL privilege, but this
currently does nothing:
- A user without ALTER ANY ROLE is allowed to comment on a role
(reported in CORE-6489)
- A user with ALTER ANY ROLE cannot execute ALTER ROLE(*), because the
only option (SET/DROP AUTO ADMIN MAPPING), requires RDB$ADMIN or - FB4 -
CHANGE_MAPPING_RULES system privilege.
From a point of consistency, I think that the ALTER ANY ROLE privilege
should allow the user to execute ALTER ROLE RDB$ADMIN SET/DROP AUTO
ADMIN MAPPING, even without being admin or having the
CHANGE_MAPPING_RULES privilege. If not, what is the reason?
Mark
*) Judging by the error message, ALTER ANY ROLE is not even checked for
ALTER ROLE, it just fails because of insufficient privileges to create
the mapping; I reported this as CORE-6490
--
Mark Rotteveel
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
