FirebirdSQL logo
 ROLEStatements for Revoking Privileges 

Cumulative Roles

The ability to grant roles to other roles and default roles results in so-called cumulative roles.Multiple roles can be active for a user, and the user receives the cumulative privileges of all those roles.

When a role is explicitly specified on connect or using SET ROLE, the user will assume all privileges granted to that role, including those privileges granted to the secondary roles (including roles granted on that secondary role, etc).Or in other words, when the primary role is explicitly specified, the secondary roles are also activated.The function RDB$ROLE_IN_USE can be used to check if a role is currently active.

See also [fblangref50-security-grant-role-default] for the effects of DEFAULT with cumulative roles, and [fblangref50-security-grant-withadminoption] for effects on granting.

Default Roles

A role can be granted as a default role by prefixing the role with DEFAULT in the GRANT statement.Granting roles as a default role to users simplifies management of privileges, as this makes it possible to group privileges on a role and granting that group of privileges to a user without requiring the user to explicitly specify the role.Users can receive multiple default roles, granting them all privileges of those default roles.

The effects of a default role depend on whether the role is granted to a user or to another role:

  • When a role is granted to a user as a default role, the role will be activated automatically, and its privileges will be applied to the user without the need to explicitly specify the role.

    Roles that are active by default are not returned from CURRENT_ROLE, but the function RDB$ROLE_IN_USE can be used to check if a role is currently active.

  • When a role is granted to another role as a default role, the rights of that role will only be automatically applied to the user if the primary role is granted as a default role to the user, otherwise the primary role needs to be specified explicitly (in other words, it behaves the same as when the secondary role was granted without the DEFAULT clause).

    For a linked list of granted roles, all roles need to be granted as a default role for them to be applied automatically.That is, for GRANT DEFAULT ROLEA TO ROLE ROLEB, GRANT ROLEB TO ROLE ROLEC, GRANT DEFAULT ROLEC TO USER USER1 only ROLEC is active by default for USER1.To assume the privileges of ROLEA and ROLEB, ROLEC needs to be explicitly specified, or ROLEB needs to be granted DEFAULT to ROLEC.