Using gsec with RDB$ADMIN Rights
To perform user management with gsec, the user must provide the extra switch -role rdb$admin.
%22%20gradientUnits%3D%22userSpaceOnUse%22%3E%3Cstop%20stop-color%3D%22%23fd0a02%22%20offset%3D%220%22%2F%3E%3Cstop%20stop-color%3D%22%23fd3703%22%20offset%3D%22.27%22%2F%3E%3Cstop%20stop-color%3D%22%23fffb17%22%20offset%3D%221%22%2F%3E%3C%2FlinearGradient%3E%3CradialGradient%20id%3D%22IDa%22%20cx%3D%22226.87%22%20cy%3D%22227.78%22%20r%3D%22226.77%22%20gradientTransform%3D%22matrix(1%200%200%20.99928%204.5%20.16398)%22%20gradientUnits%3D%22userSpaceOnUse%22%20spreadMethod%3D%22reflect%22%3E%3Cstop%20stop-color%3D%22%23fffb17%22%20offset%3D%22-99%22%2F%3E%3Cstop%20stop-color%3D%22%23fd3703%22%20style%3D%22stop-color%3A%23d6d6d6%3Bstop-opacity%3A.80992%22%20offset%3D%22-25.96%22%2F%3E%3Cstop%20stop-color%3D%22%23fd0a02%22%20style%3D%22stop-color%3A%23640401%22%20offset%3D%221%22%2F%3E%3C%2FradialGradient%3E%3Cfilter%20id%3D%22IDc%22%20x%3D%22-.073393%22%20y%3D%22-.073446%22%20width%3D%221.1468%22%20height%3D%221.1469%22%20style%3D%22color-interpolation-filters%3AsRGB%22%3E%3CfeGaussianBlur%20stdDeviation%3D%2213.661255%22%2F%3E%3C%2Ffilter%3E%3C%2Fdefs%3E%3Cg%20transform%3D%22translate(28.187%2031.614)%22%3E%3Cpath%20d%3D%22m144.36%20418.24c-31.519-36.408-42.174-117.36-35.104-140.33%209.9544-32.345%2021.049-46.054%2052.91-61.14%2012.171-5.7629%2030.369-9.7087%2040.618-16.999%209.6275-6.8485%2011.103-20.882%200.3031-30.555-11.374-10.186-25.905-6.8539-44.714-1.9463-0.8293%200.2163-2.2371%201.2415-2.4517%202.0893-0.5764%202.2763%200.3517%204.8404%201.55%207.9654-13.009-4.9358-26.833-14.752-28.839-21.314-6.3773-20.865%2017.573-38.445%2048.266-37.644-3.4102-17.273-3.4635-26.602%2018.537-25.134%2032.366%202.1593%2053.818%2013.086%2085.84%2021.325%202.5911%200.6668%2015.302%204.2674%2017.351%202.4455%201.3911-1.2363%202.2548-6.8008%204.1746-11.352%201.7884%205.7771%203.6412%2013.171%201.3306%2018.928-3.601%208.9701-42.338%200.4436-49.836-0.4936-1.4719%202.0873-0.7547%206.4248%201.0548%206.9152%2021.778%205.9031%2040.947%2025.511%2046.258%2034.455%208.8055%2014.832%2010.521%2029.513%207.7741%2042.707-2.5105%2012.06-21.178%2036.296-31.757%2050.233-13.891%2018.301-22.03%2028.984-9.0675%2043.421%206.6796%207.4391%2040.824%2010.557%2075.278-3.6384%2030.204-12.444%2075.735-59.108%2075.527-110.4-0.4087-100.65-83.111-169.04-176.17-181.35-4.1817-0.6355-4.2058-5.2511-0.0238-5.2514%2085.729-8e-3%20214.98%2078.833%20214.98%20226.49%202e-4%20127-105.71%20226.72-223.18%20226.72-46.871%200-69.584-11.872-90.603-36.151zm-139.76-190.62c0-147.17%20129.41-226.45%20214.98-226.45%204.2192%200%204.2282%204.6119%209e-3%205.2304-94.354%2010.94-163.61%2072.376-180.2%20163.11-13.135%2071.848%2014.501%20141.16%2066.086%20182.98%206.8172%2036.501%2027.251%2073.534%2052.047%2089.504-97.014-32.749-152.92-124.89-152.92-214.38zm189.2-109.32c-1.0982-0.0895-5.4887-5.9834-1.2128-6.6405%2010.982-1.6874%2021.989%202.9859%2027.148%206.8763%200.9582%200.7226%200.4686%203.0838-0.2361%202.9402-5.5378-1.1299-24.15-3.05-25.699-3.176z%22%20style%3D%22fill-rule%3Aevenodd%3Bfill%3Aurl(%23IDa)%3Bfilter%3Aurl(%23IDc)%3Bmix-blend-mode%3Anormal%3Bopacity%3A.61733%3Bstroke-width%3A.99975%3Bstroke%3A%23000000%22%2F%3E%3Cpath%20d%3D%22m139.76%20417.07c-31.519-36.408-42.174-117.36-35.104-140.33%209.9544-32.345%2021.049-46.054%2052.91-61.14%2012.171-5.7629%2030.369-9.7087%2040.618-16.999%209.6275-6.8485%2011.103-20.882%200.3031-30.555-11.374-10.186-25.905-6.8539-44.714-1.9463-0.8293%200.2163-2.2371%201.2415-2.4517%202.0893-0.5764%202.2763%200.3517%204.8404%201.55%207.9654-13.009-4.9358-26.833-14.752-28.839-21.314-6.3773-20.865%2017.573-38.445%2048.266-37.644-3.4102-17.273-3.4635-26.602%2018.537-25.134%2032.366%202.1593%2053.818%2013.086%2085.84%2021.325%202.5911%200.6668%2015.302%204.2674%2017.351%202.4455%201.3911-1.2363%202.2548-6.8008%204.1746-11.352%201.7884%205.7771%203.6412%2013.171%201.3306%2018.928-3.601%208.9701-42.338%200.4436-49.836-0.4936-1.4719%202.0873-0.7547%206.4248%201.0548%206.9152%2021.778%205.9031%2040.947%2025.511%2046.258%2034.455%208.8055%2014.832%2010.521%2029.513%207.7741%2042.707-2.5105%2012.06-21.178%2036.296-31.757%2050.233-13.891%2018.301-22.03%2028.984-9.0675%2043.421%206.6796%207.4391%2040.824%2010.557%2075.278-3.6384%2030.204-12.444%2075.735-59.108%2075.527-110.4-0.4087-100.65-83.111-169.04-176.17-181.35-4.1817-0.6355-4.2058-5.2511-0.0238-5.2514%2085.729-8e-3%20214.98%2078.833%20214.98%20226.49%202e-4%20127-105.71%20226.72-223.18%20226.72-46.871%200-69.584-11.872-90.603-36.151zm-139.76-190.62c0-147.17%20129.41-226.45%20214.98-226.45%204.2192%200%204.2282%204.6119%209e-3%205.2304-94.354%2010.94-163.61%2072.376-180.2%20163.11-13.135%2071.848%2014.501%20141.16%2066.086%20182.98%206.8172%2036.501%2027.251%2073.534%2052.047%2089.504-97.014-32.749-152.92-124.89-152.92-214.38zm189.2-109.32c-1.0982-0.0895-5.4887-5.9834-1.2128-6.6405%2010.982-1.6874%2021.989%202.9859%2027.148%206.8763%200.9582%200.7226%200.4686%203.0838-0.2361%202.9402-5.5378-1.1299-24.15-3.05-25.699-3.176z%22%20style%3D%22fill-rule%3Aevenodd%3Bfill%3Aurl(%23IDb)%3Bstroke-width%3A.32475%3Bstroke%3A%23909090%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E%0A){kind=small}
- Anglaiskeyboard_arrow_down
- languageFrançais
- languageРусский
- languageDeutsch
Using gsec with
Granting the RDB$ADMIN Role in a Regular Database
In a regular database, the RDB$ADMIN role is granted and revoked with the usual syntax for granting and revoking roles:
GRANT [DEFAULT] RDB$ADMIN TO username REVOKE [DEFAULT] RDB$ADMIN FROM username
| Parameter | Description |
|---|---|
username |
Name of the user |
To grant and revoke the RDB$ADMIN role, the grantor must be logged in as an administrator.
Using the RDB$ADMIN Role in a Regular Database
To exercise their RDB$ADMIN privileges, the role must either have been granted as a default role, or the grantee has to include the role in the connection attributes when connecting to the database, or specify it later using SET ROLE.
AUTO ADMIN MAPPING
Windows Administrators are not automatically granted RDB$ADMIN privileges when connecting to a database (when Win_Sspi is enabled).The AUTO ADMIN MAPPING switch determines whether Administrators have automatic RDB$ADMIN rights, on a database-by-database basis.By default, when a database is created, it is disabled.
If AUTO ADMIN MAPPING is enabled in the database, it will take effect whenever a Windows Administrator connects:
-
using
Win_Sspiauthentication, and -
without specifying any role
After a successful “auto admin” connection, the current role is set to RDB$ADMIN.
If an explicit role was specified on connect, the RDB$ADMIN role can be assumed later in the session using SET TRUSTED ROLE.
Auto Admin Mapping in Regular Databases
To enable and disable automatic mapping in a regular database:
ALTER ROLE RDB$ADMIN
SET AUTO ADMIN MAPPING; -- enable it
ALTER ROLE RDB$ADMIN
DROP AUTO ADMIN MAPPING; -- disable itEither statement must be issued by a user with sufficient rights, that is:
-
The database owner
-
A user with the
ALTER ANY ROLEprivilege
|
Note
|
The statement is a simplified form of a Accordingly, the statement is equivalent to the statement For details, see [fblangref50-security-mapping] |
In a regular database, the status of AUTO ADMIN MAPPING is checked only at connect time.If an Administrator has the RDB$ADMIN role because auto-mapping was on when they logged in, they will keep that role for the duration of the session, even if they or someone else turns off the mapping in the meantime.
Likewise, switching on AUTO ADMIN MAPPING will not change the current role to RDB$ADMIN for Administrators who were already connected.
Auto Admin Mapping in the Security Database
The ALTER ROLE RDB$ADMIN statement cannot enable or disable AUTO ADMIN MAPPING in the security database.However, you can create a global mapping for the predefined group DOMAIN_ANY_RID_ADMINS to the role RDB$ADMIN in the following way:
CREATE GLOBAL MAPPING WIN_ADMINS
USING PLUGIN WIN_SSPI
FROM Predefined_Group DOMAIN_ANY_RID_ADMINS
TO ROLE RDB$ADMIN;Additionally, you can use gsec:
gsec -mapping set gsec -mapping drop
|
Note
|
Depending on the administrative status of the current user, more parameters may be needed when invoking gsec, e.g. |
Only SYSDBA can enable AUTO ADMIN MAPPING if it is disabled, but any administrator can turn it off.
When turning off AUTO ADMIN MAPPING in gsec, the user turns off the mechanism itself which gave them access, and thus they would not be able to re-enable AUTO ADMIN MAPPING.Even in an interactive gsec session, the new flag setting takes effect immediately.
Administrators
An administrator is a user that has sufficient rights to read, write to, create, alter or delete any object in a database to which that user’s administrator status applies.The table summarises how “superuser” privileges are enabled in the various Firebird security contexts.
| User | RDB$ADMIN Role | Comments |
|---|---|---|
|
Auto |
Exists automatically at server level.Has full privileges to all objects in all databases.Can create, alter and drop users, but has no direct remote access to the security database |
root user on POSIX |
Auto |
Exactly like |
Superuser on POSIX |
Auto |
Exactly like |
Windows Administrator |
Set as |
Exactly like
|
Database owner |
Auto |
Like |
Regular user |
Must be previously granted;must be supplied at login or have been granted as a default role |
Like |
POSIX OS user |
Must be previously granted;must be supplied at login or have been granted as a default role |
Like |
Windows user |
Must be previously granted;must be supplied at login |
Like |
Fine-grained System Privileges
In addition to granting users full administrative privileges, system privileges make it possible to grant regular users a subset of administrative privileges that have historically been limited to SYSDBA and administrators only.For example:
-
Run utilities such as gbak, gfix, nbackup and so on
-
Shut down a database and bring it online
-
Trace other users' attachments
-
Access the monitoring tables
The implementation defines a set of system privileges, analogous to object privileges, from which lists of privileged tasks can be assigned to roles.
It is also possible to grant normal privileges to a system privilege, making the system privilege act like a special role type.
The system privileges are assigned through CREATE ROLE and ALTER ROLE.
|
Warning
|
Be aware that each system privilege provides a very thin level of control.For some tasks it may be necessary to give the user more than one privilege to perform some task.For example, add |
List of Valid System Privileges
The following table lists the names of the valid system privileges that can be granted to and revoked from roles.
USER_MANAGEMENT
|
Manage users (given in the security database) |
READ_RAW_PAGES
|
Read pages in raw format using |
CREATE_USER_TYPES
|
Add/change/delete non-system records in |
USE_NBACKUP_UTILITY
|
Use nbackup to create database copies |
CHANGE_SHUTDOWN_MODE
|
Shut down database and bring online |
TRACE_ANY_ATTACHMENT
|
Trace other users' attachments |
MONITOR_ANY_ATTACHMENT
|
Monitor (tables |
ACCESS_SHUTDOWN_DATABASE
|
Access database when it is shut down |
CREATE_DATABASE
|
Create new databases (given in the security database) |
DROP_DATABASE
|
Drop this database |
USE_GBAK_UTILITY
|
Use gbak utility |
USE_GSTAT_UTILITY
|
Use gstat utility |
USE_GFIX_UTILITY
|
Use gfix utility |
IGNORE_DB_TRIGGERS
|
Instruct engine not to run DB-level triggers |
CHANGE_HEADER_SETTINGS
|
Modify parameters in DB header page |
SELECT_ANY_OBJECT_IN_DATABASE
|
Use |
ACCESS_ANY_OBJECT_IN_DATABASE
|
Access (in any possible way) any object |
MODIFY_ANY_OBJECT_IN_DATABASE
|
Modify (up to drop) any object |
CHANGE_MAPPING_RULES
|
Change authentication mappings |
USE_GRANTED_BY_CLAUSE
|
Use |
GRANT_REVOKE_ON_ANY_OBJECT
|
|
GRANT_REVOKE_ANY_DDL_RIGHT
|
|
CREATE_PRIVILEGED_ROLES
|
Use |
GET_DBCRYPT_INFO
|
Get database encryption information |
MODIFY_EXT_CONN_POOL
|
Use command |
REPLICATE_INTO_DATABASE
|
Use replication API to load change sets into database |
PROFILE_ANY_ATTACHMENT
|
Profile attachments of other users |