Enabling Embedded User Authentication
Go Up to Database User Management
Embedded user authentication (EUA) stores database user name and password information directly in the database. When user authentication is embedded in a database, database metadata IP is better protected from outside inspection. EUA also makes transportable databases more secure.
Only the database owner is allowed to administer embedded user authentication. A regular user may alter the password for their own user account.
Having a SYSDBA user account under embedded user authentication is optional. If there is a SYSDBA account, it has most of the same privileges for the database in which it is embedded that any admin.ib would have. The sole exception is that the SYSDBA cannot maintain admin control for EUA if it has been implemented by another user.
- Important: EUA must be enabled to use the InterBase encryption feature, which facilitates the encryption of database pages and columns. Access to encrypted databases and columns can be given to specified users when EUA has been enabled. For more information about the InterBase encryption feature, see the Data Definition Guide.
Check if EUA is Active with isc_database Info API
isc_databaseinfo() is invoked with info item
isc_info_db_eua_active it returns:
- 1 if EUA is active for the database.
- 0 if EUA is not active.
Only the owner or SYSDBA can query for this information, once connected to the database. For all other users, the info request is ignored.
Enabling EUA Using iSQL
You can enable EUA using the following commands:
- When creating a new database, use:
CREATE DATABASE <database name> [WITH ADMIN OPTION]
- The admin clause automatically inserts name and password information for the user creating the database into the RDB$USERSsystem table.
- When altering an existing database, use:
ALTER DATABASE <database name> [ADD ADMIN OPTION]
Alternatively, the gsec command-line utility has a new option,
-user_database [database_name], which allows that tool to maintain user accounts for embedded user authentication enabled databases.
To disable EAU, use the following syntax:
ALTER DATABASE <database> [DROP ADMIN OPTION]
Once EUA is disabled, access to the database will be authenticated via the centralized user authentication database of the server
Enabling EUA Using IBConsole
You can enable EUA using the IBConsole when you use the IBConsole interface to create a new database.
To enable EUA from IB Console:
- 1. Right-click on Databases and choose Create Database from the context menu.
- 2. On Create Database, shown in |Figure 1.1, in the Embedded User Authentication field, change the default, No, to Yes.
- 3. Change the other settings as needed, and choose OK to create the database. EUA is now enabled.
Adding and Modifying Users in a EUA-enabled Database
To add users to a EUA-enabled database, use the
isc_spb_user_dbname service parameter block (SPB) with the
isc_action_svc_add_user service action. The allowed service actions are
isc_action_svc_xxx_user, where you replace
xxx with add/modify/delete/display for each respective action.
The following code sample illustrates how to use this SPB to add a user to EUA-enabled database:
#ifdef EUA_DATABASE *thd++ = isc_spb_user_dbname; ADD_SPB_LENGTH (thd, strlen(target_db)); for (x = target_db; *x;) *thd++ = *x++; #endif
For more information about using this and other service parameter blocks and service actions, see the InterBase API Guide.
- Security Model
- The InterBase Security Database
- Implementing Stronger Password Protection
- System Table Security
- SQL Privileges
- Groups of Users
- Other Security Measures
- User Administration with IBConsole
- User Administration With the InterBase API
- Using gsec to Manage Security
- Using gsec to Manage Database Alias
- gsec Error Messages