Roles and Users

Hi folks,

this roles and users and organizing thingy gives me a pretty bad headache lately. I'm new to firebird yet, am trying and like it but have many difficulties yet.

see my example please:

i have a CLIENTS table, and an ORDERS table.
there is a role CLIENT_OP who is responsible for the clients' data, he is allowed to update/delete/insert the CLIENT table.
the OPDERS_OP role has full rights to the ORDERS table and select right to the CLIENTS table. till this point it's okay.

but i want some higher skilled users to be able to do both operations..editing the clients table and also making orders.

how can i tell firebird that this user uses 2 roles?

actually...when i give 2 roles to a user do the rights substract or unify? will i have access to both tables or to none?



Sly

You can give a user as many roles as you like. Each role has whatever privileges you assign to it.

However, a user can only log in using a SINGLE role.

Therefore, you will have to create a third role (ADMIN or SUPER etc.) and grant that role all the privileges of both roles.

Unlike some other databases (Oracle comes to mind) you actually have to log on WITH the role you want to get the privileges of that role. Firebird does not lookup all the roles granted to a user and set the privileges from that lookup.

Clive.

I understand. I managed to give multiple roles to the user.

Is there a more convenient way to access multiple role rights? Because in a very complex system i will have very many roles (everybody may access the data that he works on and nothing else) but if i have some users that should do more people's work then i should create these kind of ADMIN1, ADMIN2, ... roles with all the desired combinations....or...find a more convenient and still secure way.

When simply editing tables i could do something like...the program will query what roles have Udpate/etc... access to that table and check for if the user is associated with any of the righty roles then quickly disconnect and connect with the right role...

But at more complicated tasks, when editing multiple tables in the same time this way is not gonna work.


Is there a possibility to inherit the rights from a role?
Something like create ROLE3 inherit all rights from ROLE2 and ROLE1?

you can give to users roles etc
you need to use these commands grant revoke

and i think the developers will create this option with version 3.0

Actually in 2.5, first snapshot is available right now

good news thanks pabloj whats the firebirds lastest version avaible now?2.0.3 or ?

A bit off-topic, but you can grant roles in Oracle in such a way that the user has to enable them manually. You can even "secure" the role with a password that the user needs to enter when he/she tries to activate the role.

Afaik 2.1 has just been released as stable

Hi everyone

Thanks for the informative thread. I've a question on firebird. (I'm curently using V 2.0 something with PHP 5 and ADO for PHP).

I have three roles:-

A Admin
B Booker
C Viewer

Admin has the abiliy to do anything.
Booker has the ability to insert and update and delete specific subsets of a table bookings.
Viewer can only look at bookings.

As I understand it the users connect with their usernames and passwords and the role.

What is to stop a Viewer (or Booker) user connecting with their valid username and password but with a role of admin ?

An explanation or 'gotchas' would be very much appreciated before I write loads of grants and revokes etc. on loads more tables.

Thanks very much

Firebirdy

I don't understand your questions, you created 3 roles and granted them to users (selectively), now, a use who hasn't been granted a role can't connecto with that role, simple as this.
Of course if you granted full rights to public no role will help, first revoke everything from public and then give appropriate grants.

Thanks. That answers my question. I was worried that a valid user with just the rights as a Viewer only coluld log on using their valid Viewer username and password but specify the role of 'Admin' when logging in.

You also pointed out the gotcha of the fact we must remember to ensure no public rights.

Thanks once again for your speed reply.

Firebirdy