Firebird Documentation Index → Firebird 2.5 Language Ref. Update → Security and access control → AUTO ADMIN MAPPING |
Table of Contents
Find a more recent version at Firebird 5.0 Language Reference: AUTO ADMIN MAPPING
Platform: Windows only
Added in: 2.5
Description: In Firebird 2.1, Windows administrators would automatically receive SYSDBA privileges if they used trusted authentication to connect to the server. In Firebird 2.5, this is no longer the case. Whether administrators have automatic SYSDBA rights now depends on the setting of AUTO ADMIN MAPPING. This is a per-database switch which is off by default. If AUTO ADMIN MAPPING is on, it will take effect whenever a Windows administrator: a) connects using trusted authentication, and b) does not specify any role when connecting. After a successful “auto admin” connect, the current role is set to RDB$ADMIN.
To turn the automatic mapping on and off in a regular database:
ALTER ROLE RDB$ADMIN SET AUTO ADMIN MAPPING ALTER ROLE RDB$ADMIN DROP AUTO ADMIN MAPPING
These statements must be issued by a user with sufficient rights, that is:
The database owner;
SYSDBA;
anybody who has the RDB$ADMIN role in the database and specified it while connecting;
if AUTO ADMIN MAPPING is on for the database: any Windows administrator who connected to the database using trusted authentication without specifying a role.
In normal databases, the status of AUTO ADMIN MAPPING is checked at connect time only. If an administrator has the RDB$ADMIN role because the mapping was on when he connected, he will keep that role for the duration of the connection, even if he or someone else turns off the mapping in the meantime. Likewise, setting AUTO ADMIN MAPPING on will not change the current role to RDB$ADMIN for administrators who were already connected.
There are no SQL statements to turn the automatic mapping on and off in the security database. Instead, gsec must be used:
gsec -mapping set gsec -mapping drop
Depending on the situation, more parameters may be needed when invoking gsec, e.g.
-user
and -pass
, or
-trusted
.
These commands can be given by:
SYSDBA;
if AUTO ADMIN MAPPING is on for the security database: any Windows administrator who invokes gsec using trusted authentication without specifying a role.
Unlike the case with regular databases, users connecting with the RDB$ADMIN role cannot turn AUTO ADMIN MAPPING on or off in the security database. Also notice that the Windows administrator in the second listitem can only turn the mapping off. In doing so, he shuts off the very mechanism that gave him access in the first place, so he won't be able to turn it back on again. (Even in an interactive gsec session, the new setting takes effect immediately.)
Firebird Documentation Index → Firebird 2.5 Language Ref. Update → Security and access control → AUTO ADMIN MAPPING |