Feature Description
GRANT/REVOKE operations can now be performed by runtime licensees.
Purpose
InterBase's proprietary GDML language supports the concept of Group controlled security into the database by doing the following:
- Assigning user to a group by modifying /etc/group file in the Unix domain or adding user id and its group id into isc4.gdb.
- Executing GDML "DEFINE SECURITY_CLASS" statement to grant specific privileges to [group,user] pairs in QLI or GDEF.
- Executing GDML "DEFINE DATABASE/RELATION/FIELD/VIEW" statements to associate security_class to database objects in QLI or GDEF.
With InterBase Version 4.x and 5.0, we are migrating customers from GDML to SQL and there is no equivalent SQL way to support the GROUP concept. Due to this reason, many of the InterBase version 3.x customer are reluctant to migrate to InterBase version 4.0 and above. The support of SQL-group level security is specifically addressing this issue. The SQL-group level security is based on unapproved 1996 July edition of ANSI X3H2-96-296C ISO-ANSI Working Draft for Database language SQL - Part2.
Feature Description
InterBase intends to fully support SQL-group level security described in ISO-ANSI Working Draft for Database language SQL section:
<role definition>
<grant statement>
<revoke statement>
<drop role statement>
InterBase intends to partially support SQL-group level security described in ISO-ANSI Working Draft for Database language SQL section:
<grant role statement>
InterBase supports:
GRANT <role granted> TO PUBLIC;
GRANT <role granted> TO PUBLIC WITH ADMIN OPTION;
GRANT <role granted> TO <authorization identifier>;
GRANT <role granted> TO <authorization identifier> WITH ADMIN
OPTION;
InterBase does not support:
GRANT <role granted> TO <role name>;
GRANT <role granted> TO <role name> WITH ADMIN OPTION;
<revoke role statement>
InterBase supports:
REVOKE <role revoked> FROM PUBLIC;
REVOKE <role revoked> FROM <authorization identifier>;
InterBase does not support:
REVOKE <role revoked> FROM <role name>;