FirebirdSQL logo
 SecuritySQL Statements for User Management 

Granting the RDB$ADMIN Role in the Security Database

Since nobody — not even SYSDBA — can connect to the security database remotely, the GRANT and REVOKE statements are of no use for this task.Instead, the RDB$ADMIN role is granted and revoked using the SQL statements for user management:

CREATE USER new_user
  PASSWORD 'password'
  GRANT ADMIN ROLE;

ALTER USER existing_user
  GRANT ADMIN ROLE;

ALTER USER existing_user
  REVOKE ADMIN ROLE;
Note

GRANT ADMIN ROLE and REVOKE ADMIN ROLE are not statements in the GRANT and REVOKE lexicon.They are three-word clauses to the statements CREATE USER and ALTER USER.

Table 1. Parameters for RDB$ADMIN Role GRANT and REVOKE
Parameter Description

new_user

Name for the new user

existing_user

Name of an existing user

password

User password

The grantor must be logged in as an administrator.

Doing the Same Task Using gsec

Warning

With Firebird 3.0, gsec was deprecated.It is recommended to use the SQL user management statements instead.

An alternative is to use gsec with the -admin parameter to store the RDB$ADMIN attribute on the user’s record:

gsec -add new_user -pw password -admin yes
gsec -mo existing_user -admin yes
gsec -mo existing_user -admin no
Note

Depending on the administrative status of the current user, more parameters may be needed when invoking gsec, e.g. -user and -pass, -role, or -trusted.

Using the RDB$ADMIN Role in the Security Database

To manage user accounts through SQL, the user must have the RDB$ADMIN role in the security database.No user can connect to the security database remotely, so the solution is that the user connects to a regular database.From there, they can submit any SQL user management command.

Contrary to Firebird 3.0 or earlier, the user does not need to specify the RDB$ADMIN role on connect, nor do they need to have the RDB$ADMIN role in the database used to connect.

Using gsec with RDB$ADMIN Rights

To perform user management with gsec, the user must provide the extra switch -role rdb$admin.