Firebird Documentation IndexFirebird 2.5 Language Ref. UpdateSecurity and access control → AUTO ADMIN MAPPING
Firebird Home Firebird Home Prev: The RDB$ADMIN roleFirebird Documentation IndexUp: Security and access controlNext: SQL user management commands

AUTO ADMIN MAPPING

In normal databases
In the security database

Platform: Windows only

Added in: 2.5

Description: In Firebird 2.1, Windows administrators would automatically receive SYSDBA privileges if they used trusted authentication to connect to the server. In Firebird 2.5, this is no longer the case. Whether administrators have automatic SYSDBA rights now depends on the setting of AUTO ADMIN MAPPING. This is a per-database switch which is off by default. If AUTO ADMIN MAPPING is on, it will take effect whenever a Windows administrator: a) connects using trusted authentication, and b) does not specify any role when connecting. After a successful “auto admin” connect, the current role is set to RDB$ADMIN.

In normal databases

To turn the automatic mapping on and off in a regular database:

ALTER ROLE RDB$ADMIN SET AUTO ADMIN MAPPING
ALTER ROLE RDB$ADMIN DROP AUTO ADMIN MAPPING

These statements must be issued by a user with sufficient rights, that is:

  • The database owner;

  • SYSDBA;

  • anybody who has the RDB$ADMIN role in the database and specified it while connecting;

  • if AUTO ADMIN MAPPING is on for the database: any Windows administrator who connected to the database using trusted authentication without specifying a role.

In normal databases, the status of AUTO ADMIN MAPPING is checked at connect time only. If an administrator has the RDB$ADMIN role because the mapping was on when he connected, he will keep that role for the duration of the connection, even if he or someone else turns off the mapping in the meantime. Likewise, setting AUTO ADMIN MAPPING on will not change the current role to RDB$ADMIN for administrators who were already connected.

In the security database

There are no SQL statements to turn the automatic mapping on and off in the security database. Instead, gsec must be used:

gsec -mapping set
gsec -mapping drop

Depending on the situation, more parameters may be needed when invoking gsec, e.g. -user and -pass, or -trusted.

These commands can be given by:

  • SYSDBA;

  • if AUTO ADMIN MAPPING is on for the security database: any Windows administrator who invokes gsec using trusted authentication without specifying a role.

Unlike the case with regular databases, users connecting with the RDB$ADMIN role cannot turn AUTO ADMIN MAPPING on or off in the security database. Also notice that the Windows administrator in the second listitem can only turn the mapping off. In doing so, he shuts off the very mechanism that gave him access in the first place, so he won't be able to turn it back on again. (Even in an interactive gsec session, the new setting takes effect immediately.)

Prev: The RDB$ADMIN roleFirebird Documentation IndexUp: Security and access controlNext: SQL user management commands
Firebird Documentation IndexFirebird 2.5 Language Ref. UpdateSecurity and access control → AUTO ADMIN MAPPING