AUTO ADMIN MAPPING
<< The RDB$ADMIN role | FB 2.5 Language Reference | SQL user management commands >>
AUTO ADMIN MAPPING
Platform: Windows only
Added in: 2.5
Description
In Firebird 2.1, Windows administrators would automatically receive SYSDBA privileges if they used trusted authentication to connect to the server. In Firebird 2.5, this is no longer the case. Whether administrators have automatic SYSDBA rights now depends on the setting of AUTO ADMIN MAPPING. This is a per-database switch which is off by default. If AUTO ADMIN MAPPING is on, it will take effect whenever a Windows administrator: a) connects using trusted authentication, and b) does not specify any role when connecting. After a successful “auto admin” connect, the current role is set to RDB$ADMIN.
In normal databases
To turn the automatic mapping on and off in a regular database:
ALTER ROLE RDB$ADMIN SET AUTO ADMIN MAPPING ALTER ROLE RDB$ADMIN DROP AUTO ADMIN MAPPING
These statements must be issued by a user with sufficient rights, that is:
- The database owner;
SYSDBA;- anybody who has the
RDB$ADMINrole in the database and specified it while connecting; - if
AUTO ADMIN MAPPINGis on for the database: any Windows administrator who connected to the database using trusted authentication without specifying a role.
In normal databases, the status of AUTO ADMIN MAPPING is checked at connect time only. If an administrator has the RDB$ADMIN role because the mapping was on when he connected, he will keep that role for the duration of the connection, even if he or someone else turns off the mapping in the meantime. Likewise, setting AUTO ADMIN MAPPING on will not change the current role to RDB$ADMIN for administrators who were already connected.
In the security database
There are no SQL statements to turn the automatic mapping on and off in the security database. Instead, gsec must be used:
gsec -mapping set gsec -mapping drop
Depending on the situation, more parameters may be needed when invoking gsec, e.g. -user and -pass, or -trusted.
These commands can be given by:
- SYSDBA;
- if AUTO ADMIN MAPPING is on for the security database: any Windows administrator who invokes
gsecusing trusted authentication without specifying a role.
Unlike the case with regular databases, users connecting with the RDB$ADMIN role cannot turn AUTO ADMIN MAPPING on or off in the security database. Also notice that the Windows administrator in the second list item can only turn the mapping off. In doing so, he shuts off the very mechanism that gave him access in the first place, so he won't be able to turn it back on again. (Even in an interactive gsec session, the new setting takes effect immediately.)
back to top of page
<< The RDB$ADMIN role | FB 2.5 Language Reference | SQL user management commands >>
