https://stackoverflow.com/questions/17656406
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianThe Firebird gsec utility only manages users and their passwords in the global security database (security2.fdb in Firebird 2.0 and higher). The rights of a user are managed per database (except for the user SYSDBA) and cannot be managed with gsec.
Per database user rights are controlled by defining roles (optionally), assigning rights to roles and/or users, and assigning roles to users in a specific database. Rights assigned to a role are only applied when the role is specified on attach, otherwise only the user rights apply.
Assigning rights is done with GRANT and REVOKE. For details, check the Firebird 2.5 Language Reference chapter Security and changes for Firebird 3 documented in the Firebird 3 release notes, and/or the Interbase 6.0 Operations Guide, chapter 5 Database Security, Interbase 6.0 Language Reference and Interbase 6.0 Data Definition Guide (both downloadable from the same location as the operations guide) and changes documented in the Firebird Language Reference Update.
To display the current rights granted in a database, you can use the isql tool, command show grants. You will need to connect to the specific database you want the information for. For other tools or normal client connections you will need to query the system tables (specifically RDB$USER_PRIVILEGES) yourself, or use the features of the tool (eg Flamerobin can display the rights as well).
If no rights are granted (which means only SYSDBA and the database owner have rights), the show grants; will output:
SQL> show grants;
There is no privilege granted in this database
For example assume I have table ITEMS and I grant SELECT rights to a role TESTROLE, the output will be:
SQL> CREATE ROLE TestRole;
SQL> GRANT SELECT ON ITEMS TO TestRole;
SQL> SHOW GRANTS;
/* Grant permissions for this database */
GRANT SELECT ON ITEMS TO ROLE TESTROLE
Now if I also assign additional UPDATE rights:
SQL> GRANT UPDATE ON ITEMS TO TestRole;
SQL> SHOW GRANTS;
/* Grant permissions for this database */
GRANT SELECT, UPDATE ON ITEMS TO ROLE TESTROLE
SQL>
If instead you query the system table RDB$USER_PRIVILEGES you'll see the list below (+ more rights for the DB owner):
USER GRANTOR PRIVILEGE GRANT_OPTION RELATION_NAME FIELD_NAME USER_TYPE OBJECT_TYPE
----------------------------------------------------------------------------------------
TESTROLE SYSDBA S 0 ITEMS [null] 13 0
TESTROLE SYSDBA U 0 ITEMS [null] 13 0
(left out the RDB$ prefix from the column names for brevity)
RDB$USERis the name of the object that received the rights. Here it isTESTROLEwhich is a role (indicated by columnRDB$USER_TYPEvalue 13).RDB$GRANTORis the user that granted the right.RDB$PRIVILEGEis the right grantedS:SELECTU:UPDATED:DELETEI:INSERTR:REFERENCE(for creating foreign keys referencing the specified table (or specific column))X:EXECUTE(for stored procedures, maybe also UDFs)
RDB$GRANT_OPTION:1: User can grant right to another user,0(sometimesNULL), user cannot grant this rightRDB$RELATION_NAME: Name of the table (or other database object)RDB$FIELD_NAME: Name of column in a table (NULLmeans right is granted for all columns)RDB$USER_TYPE: Object type of theRDB$USERcolumn (13is a role,8a normal user, other object types are possible as well, eg granting rights to a stored procedure)RDB$OBJECT_TYPE: Object type of theRDB$RELATION_NAME(eg 0: Relation, a normal table).
A full list of object types can be obtained from RDB$TYPES (this doesn't mean rights can be granted on or to all object types). Check the documentation for details.
