FirebirdSQL logo

Who Can Create a Mapping

The CREATE MAPPING statement can be executed by:

  • Administrators

  • The database owner — if the mapping is local

  • Users with the CHANGE_MAPPING_RULES system privilege — if the mapping is local

CREATE MAPPING examples

  1. Enable use of Windows trusted authentication in all databases that use the current security database:

    CREATE GLOBAL MAPPING TRUSTED_AUTH
      USING PLUGIN WIN_SSPI
      FROM ANY USER
      TO USER;
  2. Enable RDB$ADMIN access for windows admins in the current database:

    CREATE MAPPING WIN_ADMINS
      USING PLUGIN WIN_SSPI
      FROM Predefined_Group
      DOMAIN_ANY_RID_ADMINS
      TO ROLE RDB$ADMIN;
    Note

    The group DOMAIN_ANY_RID_ADMINS does not exist in Windows, but such a name would be added by the Win_Sspi plugin to provide exact backwards compatibility.

  3. Enable a particular user from another database to access the current database with another name:

    CREATE MAPPING FROM_RT
      USING PLUGIN SRP IN "rt"
      FROM USER U1 TO USER U2;
    Important

    Database names or aliases will need to be enclosed in double quotes on operating systems that have case-sensitive file names.

  4. Enable the server’s SYSDBA (from the main security database) to access the current database.(Assume that the database is using a non-default security database):

    CREATE MAPPING DEF_SYSDBA
      USING PLUGIN SRP IN "security.db"
      FROM USER SYSDBA
      TO USER;
  5. Ensure users who logged in using the legacy authentication plugin do not have too many privileges:

    CREATE MAPPING LEGACY_2_GUEST
      USING PLUGIN legacy_auth
      FROM ANY USER
      TO USER GUEST;

ALTER MAPPING

Alters a mapping of a security object

Available in

DSQL

Syntax
ALTER [GLOBAL] MAPPING name
  USING
    { PLUGIN plugin_name [IN database]
    | ANY PLUGIN [IN database | SERVERWIDE]
    | MAPPING [IN database] | '*' [IN database] }
  FROM {ANY type | type from_name}
  TO {USER | ROLE} [to_name]

For details on the options, see [fblangref50-security-mapping-create].

The ALTER MAPPING statement allows you to modify any of the existing mapping options, but a local mapping cannot be changed to GLOBAL or vice versa.

Important

Global and local mappings of the same name are different objects.

Who Can Alter a Mapping

The ALTER MAPPING statement can be executed by:

  • Administrators

  • The database owner — if the mapping is local

  • Users with the CHANGE_MAPPING_RULES system privilege — if the mapping is local

ALTER MAPPING examples

Alter mapping
ALTER MAPPING FROM_RT
  USING PLUGIN SRP IN "rt"
  FROM USER U1 TO USER U3;

CREATE OR ALTER MAPPING

Creates a mapping of a security object if it doesn’t exist, or alters a mapping

Available in

DSQL

Syntax
CREATE OR ALTER [GLOBAL] MAPPING name
  USING
    { PLUGIN plugin_name [IN database]
    | ANY PLUGIN [IN database | SERVERWIDE]
    | MAPPING [IN database] | '*' [IN database] }
  FROM {ANY type | type from_name}
  TO {USER | ROLE} [to_name]

For details on the options, see [fblangref50-security-mapping-create].

The CREATE OR ALTER MAPPING statement creates a new or modifies an existing mapping.

Important

Global and local mappings of the same name are different objects.

CREATE OR ALTER MAPPING examples

Creating or altering a mapping
CREATE OR ALTER MAPPING FROM_RT
  USING PLUGIN SRP IN "rt"
  FROM USER U1 TO USER U4;

DROP MAPPING

Drops a mapping of a security object

Available in

DSQL

Syntax
DROP [GLOBAL] MAPPING name
Table 1. DROP MAPPING Statement Parameter
Parameter Description

name

Mapping name

The DROP MAPPING statement removes an existing mapping.If GLOBAL is specified, then a global mapping will be removed.

Important

Global and local mappings of the same name are different objects.

Who Can Drop a Mapping

The DROP MAPPING statement can be executed by:

  • Administrators

  • The database owner — if the mapping is local

  • Users with the CHANGE_MAPPING_RULES system privilege — if the mapping is local

DROP MAPPING examples

Alter mapping
DROP MAPPING FROM_RT;