Firebird Documentation IndexFirebird 2.5 Release NotesCommand-line Utilities → gsec
Firebird Home Firebird Home Prev: Retrieve Password from a File or PromptFirebird Documentation IndexUp: Command-line UtilitiesNext: fbsvcmgr

gsec

Mapping Switch for Windows Administrators
Command-line Help for gsec

The following improvements have been added for gsec:

Mapping Switch for Windows Administrators

Alex Peshkov

Since v.2.1, Windows domain administrators have had full access to the user management functions. In v.2.5 they do not get these privileges automatically unless the SYSDBA has configured the security database to make it happen automatically.

In the Administrative Features chapter is a detailed overview of the new system role RDB$ADMIN. There, you will find descriptions of the new ALTER ROLE syntax that can be used by the SYSDBA to enable or disable the automatic mapping of Windows administrators to the RDB$ADMIN role in databases, including the security database which they access when creating, altering and dropping users.

This automatic mapping can also be done in a gsec command-line call, using the new -mapping switch.

Mapping an OS Administrator to the RDB$ADMIN Role

The new -mapping switch is used to enable or disable the association of an operating system user with the RDB$ADMIN role in the security database. It takes one argument: either set to enable the association or drop to disable it. The syntax is: 

  -mapping {set | drop}

Granting the RDB$ADMIN Role to a Firebird User

The introduction of the RDB$ADMIN system role has made it possible to escalate the privileges of an ordinary user. However, it was (and still is) not possible any for any user, even SYSDBA, to attach directly to the security database and grant the required permissions for the user to manage other users. A parameter—GRANT ADMIN ROLE—was included in the new CREATE USER and ALTER USER statement syntaxes to enable SYSDBA, or another user that has already acquired the RDB$ADMIN role in the security database, to have the RDB$ADMIN role applied to an ordinary user “at arm's length”, as it were.

The same can be achieved in gsec using the new switch -admin. It takes one argument: either YES (to grant the RDB$ADMIN role to the specified user in security2.fdb) or NO (to revoke it). The syntax is: 

  -admin {YES | NO}

Command-line Help for gsec

Claudio Valderrama

Tracker reference: CORE-756)

Parameter help has been implemented for gsec, accessible by using the -help or -? switches.

Prev: Retrieve Password from a File or PromptFirebird Documentation IndexUp: Command-line UtilitiesNext: fbsvcmgr
Firebird Documentation IndexFirebird 2.5 Release NotesCommand-line Utilities → gsec