From: Ded <de...@hq...> - 2001-04-24 21:04:31
|
"Ann W. Harrison" wrote: > At 03:42 PM 4/24/2001 +0200, Mike Nordell wrote: > > > > Grant Select On RDB$Relations To DB_User ; > > > Revoke Select On RDB$Relations From DB_User ; > > > > > > Results to impossibility DB_User to login database. > > > >So what's the deal here? Ann (C., Dave, ...), should this even be a legal > >operation on that system table? Should _any_ of these operations be legal on > >_any_ of those system tables? > >Methinks not, but then again I'm just a grunt. > > I would like to see security work on the system tables just as > it does on user tables, so I say that the behavior is ok. If > someone has select access to a table, granting it again is fine. > If it is revoked, then that user doesn't have access to the table, > even though it was granted twice and revoked only once. > Hi, Ann. I'm confused a little: if all is so simply, why system tables except RDB$ROLES are not initially present in RDB$USER_PRIVILEGES and RDB$SECURITY_CLASSES? And why after grant/revoke RDB$RELATIONS expires from RDB$USER_PRIVILEGES and remains in RDB$SECURITY_CLASSES? My knowlege about last is limited by short description of it's structure in Language Reference and I don't know what means 9:10 in RDB$ACL. Is'nt effect of using grant/revoke with system tables not fully correct mix of different rules? I don't insist it is bug, but it is somewhat unexpected (to me) and I'm interested. Best regards. PS. Sorry if I repost, but my previous messages is lost somewhere (waited about hour). |