Role

<< Blob filter sample code | IBExpert | Firebird 3.0 packages >>

A role is a named group of privileges. It simplifies granting user rights as multiple users can be granted the same role. For example, in a large sales department, all those clerks involved in processing incoming orders could belong to a role Order Processing.

Should it become necessary to alter the rights of these users, only the role has to be changed.

Users must specify the role at connect time.

New role

A new role can be created in a connected database, either by using the IBExpert menu item Database / New Role, the respective icon in the New Database Object toolbar, or using the DB Explorer right-click menu (or key combination [Ctrl + N]), when the role heading of the relevant connected database is highlighted.

A New Role dialog appears:

Simply enter the new role name, and click OK to compile and commit.

Note: when a role with the name SYSDBA is created, no other users (not even the SYSDBA) can access the database.

For those preferring SQL input, the syntax is as follows:

 CREATE ROLE <Role_Name>;

Firebird 2.0 saw the addition of the RDB$DESCRIPTION and RDB$SYSTEM_FLAG fields to the RDB$ROLES table to allow description text and to flag user-defined roles respectively.

Firebird 2.5 introduced a new role, RDB$ADMIN, for databases ODS version 11.2 and higher. This role allows regular users to be granted SYSDBA-similar rights at database level.

After successfully creating one or more new roles, privileges need to be granted to the role name(s). Please refer to Grant Manager, found in the IBExpert Tools Menu, and the GRANT statement for further information.

By using WITH ADMIN OPTION, the grantor (typically the role creator) gives the grantee (role member) the right to become a grantor of the same role in turn, similar to the user permission WITH GRANT OPTION.

back to top of page

Edit role/alter role

Users and rights may be altered for a role using the IBExpert Grant Manager. This can be started either directly from the DB Explorer by either double-clicking on a role name, using the right-click menu item Edit Role... or the key combination [Ctrl + O], or using the IBExpert Tools menu item, Grant Manager. Please refer to Grant Manager for details.

Firebird 2.5 introduced the trusted user authentication. The SYSDBA can log in to any database and issue the following statement:

 ALTER ROLE RDB$ADMIN
 SET AUTO ADMIN MAPPING;

To revert to the default setting, preventing administrators from getting SYSDBA privileges automatically, issue this statement:

 ALTER ROLE RDB$ADMIN
 DROP AUTO ADMIN MAPPING;

See also:
Firebird 2.5 Release Notes

back to top of page

Drop role/delete role

DROP ROLE deletes a role that was previously created using CREATE ROLE. Any privileges that users acquired or granted through their membership in the role are revoked.

To drop a role use the DB Explorer right mouse-click menu item Drop Role... (or [Ctrl + Del].

IBExpert asks for confirmation:

before finally dropping the role. Once dropped, it cannot be retrieved.

Using SQL the syntax is:

 DROP ROLE <Role_Name>;

A role can be dropped by its creator, the SYSDBA user, or any user with superuser privileges.

Since Firebird 2 the UserManager WITH ADMIN OPTION can be removed by the original grantor using the REVOKE ADMIN OPTION FROM. Until Firebird 2, this ability couldn't be removed unless the original grantor fiddled with system tables directly.

See also:
Grant Manager
User Manager
Server Security ISC4.GDB / SECURITY.FDB

back to top of page
<< Blob filter sample code | IBExpert | Firebird 3.0 packages >>