FirebirdSQL logo

AUTO ADMIN MAPPING

Windows Administrators are not automatically granted RDB$ADMIN privileges when connecting to a database (when Win_Sspi is enabled).The AUTO ADMIN MAPPING switch determines whether Administrators have automatic RDB$ADMIN rights, on a database-by-database basis.By default, when a database is created, it is disabled.

If AUTO ADMIN MAPPING is enabled in the database, it will take effect whenever a Windows Administrator connects:

  1. using Win_Sspi authentication, and

  2. without specifying any role

After a successful “auto admin” connection, the current role is set to RDB$ADMIN.

If an explicit role was specified on connect, the RDB$ADMIN role can be assumed later in the session using SET TRUSTED ROLE.

Auto Admin Mapping in Regular Databases

To enable and disable automatic mapping in a regular database:

ALTER ROLE RDB$ADMIN
  SET AUTO ADMIN MAPPING;  -- enable it

ALTER ROLE RDB$ADMIN
  DROP AUTO ADMIN MAPPING; -- disable it

Either statement must be issued by a user with sufficient rights, that is:

  • The database owner

  • An administrator

  • A user with the ALTER ANY ROLE privilege

Note

The statement

ALTER ROLE RDB$ADMIN
  SET AUTO ADMIN MAPPING;

is a simplified form of a CREATE MAPPING statement to create a mapping of the predefined group DOMAIN_ANY_RID_ADMINS to the role of RDB$ADMIN:

CREATE MAPPING WIN_ADMINS
  USING PLUGIN WIN_SSPI
  FROM Predefined_Group DOMAIN_ANY_RID_ADMINS
  TO ROLE RDB$ADMIN;

Accordingly, the statement

ALTER ROLE RDB$ADMIN
  DROP AUTO ADMIN MAPPING

is equivalent to the statement

DROP MAPPING WIN_ADMINS;

In a regular database, the status of AUTO ADMIN MAPPING is checked only at connect time.If an Administrator has the RDB$ADMIN role because auto-mapping was on when they logged in, they will keep that role for the duration of the session, even if they or someone else turns off the mapping in the meantime.

Likewise, switching on AUTO ADMIN MAPPING will not change the current role to RDB$ADMIN for Administrators who were already connected.

Auto Admin Mapping in the Security Database

The ALTER ROLE RDB$ADMIN statement cannot enable or disable AUTO ADMIN MAPPING in the security database.However, you can create a global mapping for the predefined group DOMAIN_ANY_RID_ADMINS to the role RDB$ADMIN in the following way:

CREATE GLOBAL MAPPING WIN_ADMINS
  USING PLUGIN WIN_SSPI
  FROM Predefined_Group DOMAIN_ANY_RID_ADMINS
  TO ROLE RDB$ADMIN;

Additionally, you can use gsec:

gsec -mapping set

gsec -mapping drop
Note

Depending on the administrative status of the current user, more parameters may be needed when invoking gsec, e.g. -user and -pass, -role, or -trusted.

Only SYSDBA can enable AUTO ADMIN MAPPING if it is disabled, but any administrator can turn it off.

When turning off AUTO ADMIN MAPPING in gsec, the user turns off the mechanism itself which gave them access, and thus they would not be able to re-enable AUTO ADMIN MAPPING.Even in an interactive gsec session, the new flag setting takes effect immediately.

Administrators

An administrator is a user that has sufficient rights to read, write to, create, alter or delete any object in a database to which that user’s administrator status applies.The table summarises how “superuser” privileges are enabled in the various Firebird security contexts.

Table 1. Administrator (“Superuser”) Characteristics
User RDB$ADMIN Role Comments

SYSDBA

Auto

Exists automatically at server level.Has full privileges to all objects in all databases.Can create, alter and drop users, but has no direct remote access to the security database

root user on POSIX

Auto

Exactly like SYSDBA.Firebird Embedded only.

Superuser on POSIX

Auto

Exactly like SYSDBA.Firebird Embedded only.

Windows Administrator

Set as CURRENT_ROLE if login succeeds

Exactly like SYSDBA if the following are all true:

  • In firebird.conf file, AuthServer includes Win_Sspi, and Win_Sspi is present in the client-side plugins (AuthClient) configuration

  • In databases where AUTO ADMIN MAPPING is enabled, or an equivalent mapping of the predefined group DOMAIN_ANY_RID_ADMINS for the role RDB$ADMIN exists

  • No role is specified at login

Database owner

Auto

Like SYSDBA, but only in the databases they own

Regular user

Must be previously granted;must be supplied at login or have been granted as a default role

Like SYSDBA, but only in the databases where the role is granted

POSIX OS user

Must be previously granted;must be supplied at login or have been granted as a default role

Like SYSDBA, but only in the databases where the role is granted.Firebird Embedded only.

Windows user

Must be previously granted;must be supplied at login

Like SYSDBA, but only in the databases where the role is granted.Only available if in firebird.conf file, AuthServer includes Win_Sspi, and Win_Sspi is present in the client-side plugins (AuthClient) configuration