Issue Details (XML | Word | Printable)

Key: CORE-751
Type: New Feature New Feature
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Roman Simakov
Reporter: Pavel Cisar
Votes: 13
Watchers: 3
Operations

If you were logged in you would be able to see more operations.
Firebird Core

Implicitly active roles (and their permissions summarized)

Created: 17/Sep/03 12:00 AM   Updated: 23/Sep/16 06:37 PM
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.0 Alpha 1

Issue Links:
Replace
 

SF_ID: 807938
QA Status: Covered by another test(s)
Test Details: See test for CORE-1815


 Description  « Hide
SFID: 807938#
Submitted By: pcisar

Database rights can be assigned to Groups. Groups can be assigned to users. The resulting user database rights are the combination of the group rights as well as user rights. All this must work without roles.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Alice F. Bird added a comment - 14/Jun/06 09:42 AM - edited
Date: 2004-10-22 00:43
Sender: smace
Logged In: YES
user_id=522214

I know an easy way of doing "Groups of grants" in Firebird.

--

One way is adding RDB$GROUPS table like RDB$ROLES.

CREATE TABLE RDB$GROUPS (
    RDB$GROUP_NAME CHAR(31) CHARACTER SET UNICODE_FSS,
    RDB$OWNER_NAME CHAR(31) CHARACTER SET UNICODE_FSS
);

And then replacing RDB$SECURITY_CLASSES by one View instead of table. This view catches all data from RDB$RELATION_FIELDS and *automatically adds grants (from the groups) (thought one select, union (whatever). I belive. It's not so hard doing. As you can see. So, I'd like to implement it. But I am not sure about changing RDB$ tables. And how we can add it to the default firebird distro.

Alice F. Bird added a comment - 14/Jun/06 09:42 AM - edited
Date: 2004-07-29 21:58
Sender: smace
Logged In: YES
user_id=522214

I'd like to have Firebird behaving this way:

- accepting multiple roles at the same time.
- having an option for switch between passive roles and active roles. (one gets effective just by specifing it to a user, the other must be specified during the connection to the DB)
- groups of roles. ie. grant a role to another role. (when you grant a "master role" to a user, this user will have all privileges of all roles granted to the "master role".

Is the same thing you want? If yes, how can we implement it?

Jacques added a comment - 31/Aug/09 12:37 AM
where can i find a step by step guide to implment the above.

I am looking into building a security model, and from there, granting roles to users, which the users can use to see data as needed.

Alexander Peshkov added a comment - 31/Aug/09 01:00 AM
If you need "granting roles to users, which the users can use to see data as needed" this already works in firebird.

Noone will write you step by step guide - it's easier to write required program, but even to provide generic advice what to start with I need to get full understanding what you really need.

Roman Simakov added a comment - 12/May/16 05:15 PM
Recently implemented ability to grant a role to another role (http://tracker.firebirdsql.org/browse/CORE-1815) covers this feature in case of using DEFAULT ROLE. I guess this ticket can be closed.

Simonov Denis added a comment - 23/May/16 05:25 AM
Please add a description of the system functions RDB$ROLE_IN_USE in README.cumulative_roles.txt file.