Enabling Embedded User Authentication

From InterBase

Go Up to Database User Management


Embedded user authentication (EUA) stores database user name and password information directly in the database. When user authentication is embedded in a database, database metadata IP is better protected from outside inspection. EUA also makes transportable databases more secure.

Only the database owner is allowed to administer embedded user authentication. A regular user may alter the password for their own user account.

Having a SYSDBA user account under embedded user authentication is optional. If there is a SYSDBA account, it has most of the same privileges for the database in which it is embedded that any admin.ib would have. The sole exception is that the SYSDBA cannot maintain admin control for EUA if it has been implemented by another user.

Important: EUA must be enabled to use the InterBase encryption feature, which facilitates the encryption of database pages and columns. Access to encrypted databases and columns can be given to specified users when EUA has been enabled. For more information about the InterBase encryption feature, see the Data Definition Guide.

Check if EUA is Active with isc_database Info API

If isc_databaseinfo() is invoked with info item isc_info_db_eua_active it returns:

  • 1 if EUA is active for the database.
  • 0 if EUA is not active.

Only the owner or SYSDBA can query for this information, once connected to the database. For all other users, the info request is ignored.

Enabling EUA Using iSQL

You can enable EUA using the following commands:

  • When creating a new database, use:
CREATE DATABASE <database name> [WITH ADMIN OPTION]
The admin clause automatically inserts name and password information for the user creating the database into the RDB$USERSsystem table.
  • When altering an existing database, use:
ALTER DATABASE [ADD ADMIN OPTION]

Alternatively, the gsec command-line utility has a new option, -user_database [database_name], which allows that tool to maintain user accounts for embedded user authentication enabled databases.

To disable EUA, use the following syntax:

ALTER DATABASE [DROP ADMIN OPTION]

Once EUA is disabled, access to the database will be authenticated via the centralized user authentication database of the server ADMIN.IB.

Enabling EUA Using IBConsole

You can enable EUA using the IBConsole when you use the IBConsole interface to create a new database.

To enable EUA from IB Console:

1. Right-click on Databases and choose Create Database from the context menu.
2. On Create Database, in the Embedded User Authentication field, change the default, No, to Yes.
3. Change the other settings as needed, and choose OK to create the database. EUA is now enabled.

Adding and Modifying Users in a EUA-enabled Database

To add users to a EUA-enabled database, use the isc_spb_user_dbname service parameter block (SPB) with the isc_action_svc_add_user service action. The allowed service actions are isc_action_svc_xxx_user, where you replace xxx with add/modify/delete/display for each respective action.

The following code sample illustrates how to use this SPB to add a user to EUA-enabled database:

#ifdef EUA_DATABASE
*thd++ = isc_spb_user_dbname;
ADD_SPB_LENGTH (thd, strlen(target_db));
for (x = target_db; *x;)
*thd++ = *x++;
#endif

For more information about using this and other service parameter blocks and service actions, see the InterBase API Guide.

See Also

Advance To: