Control assignment of SYSDBA rights to windows administrators during trusted auth on per-database basis [CORE1660] #2085
Assignees
Comments
|
Commented by: @AlexPeshkoff Added minimum support of users mapping. |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 2.5 Alpha 1 [ 10224 ] |
Modified by: @pcisarWorkflow: jira [ 13711 ] => Firebird [ 15542 ] |
Modified by: @pcisarstatus: Resolved [ 5 ] => Closed [ 6 ] |
Modified by: @pavel-zotovQA Status: No test |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Submitted by: @AlexPeshkoff
We have 2 main problems with trusted authentication - users can't control, should Domain Admins be mapped to SYSDBA and (related with first) real login names are not visible when mapped to SYSDBA.
A solution to both problems is to add system role RDB$ADMIN, using which gives one the same rights as being SYSDBA in particular database. Mapping Domain Admins to this role will be done using
ALTER ROLE "RDB$ADMIN" ADD/DROP OS_NAME 'Domain Admins';
Given syntax matches future full mapping control SQL statement. With this role supported there is no need to change OS login name to SYSDBA any more.
Presence of system role RDB$ADMIN is useful feature itself. SYSDBA can grant this role to any user, letting him have SYSDBA rights for particular database.
The text was updated successfully, but these errors were encountered: