Menu
▾
▴
Re: [Firebird-net-provider] Fb 3 connection string upgrade
|
From: Kyle G. <ky...@in...> - 2016-05-04 18:56:38
|
Thank you, I can connect and now have rights. I will try to follow your advice to sculpt a user (or role) with just the necessary rights. Meanwhile, I have a couple of questions (should I start a different thread?) The created user appears to belong to the server, not the database, correct? I can create a role, will it belong to the server or the database? The role assignment appears to be assigned per database (but still must be passed in the connection string) During application development, I often recreate the entire database via isql script. It appears I should add some script lines to (create and?) assign the role to the user that will be used in the connection string, correct? and one last question, I don't see much about database "owners". Is that simply the account that was used to connect when the create database command is issued? Thanks, --- Kyle Green On 2016-05-04 04:29, Mark Rotteveel wrote: > On 2016-05-03 23:45, Kyle Green wrote: >> Thank you, I have done as you suggested, and the connection string >> works! >> >> However the user I created has no permissions, not even select >> permissions: >> >> my log shows 5/3/2016 3:36:11 PM: no permission for SELECT access to >> TABLE BLOGS ( and for every other attempt to access data) >> >> I had named my User "LegacyUser" (was that a mistake?). Then, while >> attached to the database through FlameRobin, ran these: >> >> GRANT rdb$admin TO USER LegacyUser; >> >> Above did not allow access, so I tried this: >> >> ALTER USER LegacyUser GRANT ADMIN ROLE; >> >> Even after this, the error at the top still appears. >> >> I have always used SYSDBA account for my web applications, so I have >> no experience with user accounts. >> >> What might be missing? > > You could just create a legacy SYSDBA (it might already exist, in which > case you just need to change the password). However using SYSDBA for a > (web) application is a bad idea, because it has all rights on all > databases on the Firebird server. You should create a user that has the > minimal rights necessary for your application to work. > > As to the specific problem : roles are only applied when you specify > them on connect in the connection string (for Firebird .net provider > property: Role=RDB$ADMIN) or - since 3.0 - after connect with SET ROLE. > No role specified means that you only get the rights assigned to PUBLIC > and the user itself. > > For RDB$ADMIN specifically, you can enable auto admin mapping, which > means that the user will get the role implicitly when logged in. See > http://www.firebirdsql.org/file/documentation/reference_manuals/fblangref25-en/html/fblangref25-security-auth.html#fblangref25-security-autoadminmapping > > But I'd strongly advise you to create a specific role with only the > necessary rights. > > Mark > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications > Manager > Applications Manager provides deep performance insights into multiple > tiers of > your business applications. It resolves application problems quickly > and > reduces your MTTR. Get your free trial! > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > _______________________________________________ > Firebird-net-provider mailing list > Fir...@li... > https://lists.sourceforge.net/lists/listinfo/firebird-net-provider |
