> > Now it's a task to find the user who actually granted the role > > > > SYSDBA does not overwrite this either. SYSDBA logged as any role > > including RD B$ADMIN does not give me the ability to revoke the role. > > It must be the user (not just the RDB$ADMIN role) who granted the role. > > It may be SYSDBA or RDB$ADMIN as well, provided that you specify the > GRANTED BY clause for the REVOKE statement.
So I need to interrogate the privileges to see who the GRANTOR was before I can use RDB$ADMIN? I think this layer is unnecessary from security standpoint. If RDB$ADMIN is supposed to equivalent to the old SYSDBA, and can grant a role, then this person should have the ability to revoke a role granted by any other user. Alan > > > So is this the way it's meant to happen? > > Yes. > > > Can anyone tell me which system table gives me a clue as to who > > granted the role so I can get that person to login and revoke it? > > In RDB$USER_PRIVILEGES, search for 'M' (membership) privileges. > > > Dmitry > > > > > ------------------------------------ > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > ++++++++ > > Visit http://www.firebirdsql.org and click the Resources item on the main > (top) menu. Try Knowledgebase and FAQ links ! > > Also search the knowledgebases at http://www.ibphoenix.com > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > ++++++++ > Yahoo! Groups Links > > >
