How to REVOKE ROLE GRANTED BY another user on Firebird 2.5.8?

Question

I am working with Firebird 2.5.8, ODS Version 11.2, connecting via Firebird ADO.NET v6.6 (in C# using Visual Studio). I have built a database management tool for configuring our

Answer 1

Since Firebird 2.5.9 Release Notes do not mention any user grant related bugfixes, I think you mistook something, probably you just did not invoke the RDB$ADMIN when you logged in with Mgr2. Try querying the active role just before trying to revoke.

Just tried this in Firebird 2.5.9 Win64 using IBExpert suite.

First session:

/*** connected as SYSDBA with no role specified ***/
GRANT RDB$ADMIN TO ADM_1;
GRANT RDB$ADMIN TO ADM_2;
CREATE ROLE USER_ROLE;

Second session:

/*****  ADM_1 with RDB$ADMIN role specified *****/
select current_role, current_user from rdb$database;
-- ROLE         USER
-- RDB$ADMIN    ADM_1

grant user_role to user_1;
grant user_role to user_2 granted by sysdba;

Third session:

/*****  ADM_2 with RDB$ADMIN role specified *****/
select current_role, current_user from rdb$database;
-- ROLE         USER
-- RDB$ADMIN    ADM_2

revoke user_role from user_2 granted by sysdba;
-- OK

revoke user_role from user_1;
-- This operation is not defined for system tables.
-- unsuccessful metadata update.
-- ADM_2 is not grantor of Role on USER_ROLE to USER_1.

revoke user_role from user_1 granted by adm_1;
-- OK

So, at least in 2.5.9 SuperServer with a single connection to the database - it just works.

P.S. since you can have many more admins than just two, and since SEVERAL admins may grant a role to the user, and then EACH of those grants would have to be found and revoked one by one, so I suggest for your scenario you have a dedicated user then, with all grants being given in his name, like I did with SYSDBA in my second session.