13.4. ROLE

13.4. `ROLE`

A role is a database object that packages a set of privileges. Roles implement the concept of access control at a group level. Multiple privileges are granted to the role and then that role can be granted to or revoked from one or many users.

A user that is granted a role must supply that role in their login credentials in order to exercise the associated privileges. Any other privileges granted to the user directly are not affected by their login with the role. Logging in with multiple roles simultaneously is not supported.

In this section the tasks of creating and dropping roles are discussed.

13.4.1. `CREATE ROLE`

Used forCreating a new ROLE object

Available inDSQL, ESQL

Syntax

  |CREATE ROLE rolename

Table 13.6. CREATE ROLE Statement Parameter

Parameter	Description
rolename	Role name. The maximum length is 31 characters

The statement CREATE ROLE creates a new role object, to which one or more privileges can be granted subsequently. The name of a role must be unique among the names of roles in the current database.

🛑

Warning

It is advisable to make the name of a role unique among usernames as well. The system will not prevent the creation of a role whose name clashes with an existing username but, if it happens, the user will be unable to connect to the database.

13.4.1.1. Who Can Create a Role

The CREATE ROLE statement can be executed by:

Administrators
Users with the CREATE ROLE privilege

The user executing the CREATE ROLE statement becomes the owner of the role.

13.4.1.2. `CREATE ROLE` Example

Creating a role named SELLERS

  |CREATE ROLE SELLERS;

13.4.2. `ALTER ROLE`

Used forAltering a role (enabling or disabling auto-admin mapping)

Available inDSQL

Syntax

  |ALTER ROLE rolename
  |  {SET | DROP} AUTO ADMIN MAPPING

Table 13.7. ALTER ROLE Statement Parameter

Parameter	Description
rolename	Role name; specifying anything other than `RDB$ADMIN` will fail

ALTER ROLE has no place in the create-alter-drop paradigm for database objects since a role has no attributes that can be modified. Its actual effect is to alter an attribute of the database: Firebird uses it to enable and disable the capability for Windows Administrators to assume administrator privileges automatically when logging in.

This capability can affect only one role: the system-generated role RDB$ADMIN that exists in every database of ODS 11.2 or higher. Several factors are involved in enabling this feature.

For details, see AUTO ADMIN MAPPING.

13.4.2.1. Who Can Alter a Role

The ALTER ROLE statement can be executed by:

Administrators

ⓘ

Note

Although an ALTER ANY ROLE DDL privilege exists, it does not apply because creating or dropping mappings requires administrator privileges.

13.4.3. `DROP ROLE`

Used forDeleting a role

Available inDSQL, ESQL

Syntax

  |DROP ROLE rolename

The statement DROP ROLE deletes an existing role. It takes just a single argument, the name of the role. Once the role is deleted, the entire set of privileges is revoked from all users and objects that were granted the role.

13.4.3.1. Who Can Drop a Role

The DROP ROLE statement can be executed by:

Administrators
The owner of the role
Users with the DROP ANY ROLE privilege

13.4.3.2. `DROP ROLE` Examples

Deleting the role SELLERS

  |DROP ROLE SELLERS;

Prev	Up	Next
13.3. SQL Privileges	Home	13.5. Statements for Granting Privileges