Auto Admin Mapping In The Security Database

SecuritySQL Statements for User Management

Auto Admin Mapping in the Security Database

The ALTER ROLE RDB$ADMIN statement cannot enable or disable AUTO ADMIN MAPPING in the security database.However, you can create a global mapping for the predefined group DOMAIN_ANY_RID_ADMINS to the role RDB$ADMIN in the following way:

CREATE GLOBAL MAPPING WIN_ADMINS
  USING PLUGIN WIN_SSPI
  FROM Predefined_Group DOMAIN_ANY_RID_ADMINS
  TO ROLE RDB$ADMIN;

Additionally, you can use gsec:

gsec -mapping set

gsec -mapping drop

Note	Depending on the administrative status of the current user, more parameters may be needed when invoking gsec, e.g. `-user` and `-pass`, `-role`, or `-trusted`.

Only SYSDBA can enable AUTO ADMIN MAPPING if it is disabled, but any administrator can turn it off.

When turning off AUTO ADMIN MAPPING in gsec, the user turns off the mechanism itself which gave them access, and thus they would not be able to re-enable AUTO ADMIN MAPPING.Even in an interactive gsec session, the new flag setting takes effect immediately.

Administrators

An administrator is a user that has sufficient rights to read, write to, create, alter or delete any object in a database to which that user’s administrator status applies.The table summarises how “superuser” privileges are enabled in the various Firebird security contexts.

Table 1. Administrator (“Superuser”) Characteristics
User	RDB$ADMIN Role	Comments
`SYSDBA`	Auto	Exists automatically at server level.Has full privileges to all objects in all databases.Can create, alter and drop users, but has no direct remote access to the security database
root user on POSIX	Auto	Exactly like `SYSDBA`.Firebird Embedded only.
Superuser on POSIX	Auto	Exactly like `SYSDBA`.Firebird Embedded only.
Windows Administrator	Set as `CURRENT_ROLE` if login succeeds	Exactly like `SYSDBA` if the following are all true: In `firebird.conf` file, `AuthServer` includes `Win_Sspi`, and `Win_Sspi` is present in the client-side plugins (`AuthClient`) configuration In databases where `AUTO ADMIN MAPPING` is enabled, or an equivalent mapping of the predefined group `DOMAIN_ANY_RID_ADMINS` for the role `RDB$ADMIN` exists No role is specified at login
Database owner	Auto	Like `SYSDBA`, but only in the databases they own
Regular user	Must be previously granted;must be supplied at login or have been granted as a default role	Like `SYSDBA`, but only in the databases where the role is granted
POSIX OS user	Must be previously granted;must be supplied at login or have been granted as a default role	Like `SYSDBA`, but only in the databases where the role is granted.Firebird Embedded only.
Windows user	Must be previously granted;must be supplied at login	Like `SYSDBA`, but only in the databases where the role is granted.Only available if in `firebird.conf` file, `AuthServer` includes `Win_Sspi`, and `Win_Sspi` is present in the client-side plugins (`AuthClient`) configuration