Tom Lane wrote:
Peter Eisentraut <[EMAIL PROTECTED]> writes:

... Therefore I ask whether everyone agrees
that groups and roles are basically equivalent concepts (and perhaps that
we might in the future strive to make groups more compatible with the
roles as defined in the SQL standard).  Or does anyone see that roles
might be implemented separately from groups sometime?


Just reading section 4.31.3 of the SQL99 draft, it seems that roles are
pretty much interchangeable with groups, except that a role can be a
member of another role while we don't presently allow groups to be
members of other groups.

So it seems that your question breaks down to:

1. Do we want to someday allow groups to have groups as members?  (Seems
reasonable to me.)

Makes sense ...


2. Are there any other differences between groups and roles?  (I'm not
sure about this one.)

To me some differences would make sense sense if we had additional priviledges. In Oracle a user needs a punch of rights to connect, to execute SQL, and so forth. If we had these features it would make sense to treat roles and groups seperately because:
Imagine having groups having rights on dozens of tables. If these groups were assigned to a role it would be an easy task to block numerous groups from executing SQL at once. Currently a user has all rights of all groups he belongs to so it is damn hard to say that 1000 users should not be allowed to do anything for a period of time (because of maintenance or so). If all those users (but the superuser) had a certain role, the role could be modified instead of those 1000 users/groups (eg. REVOKE login, execute_sql FROM some_role).


Currently roles don't make too much sense to me because we don't have the permissions for making roles useful (personally I don't think that it makes to have this stuff anyway).

I guess adding a simple field to the system tables would be enough.
If we had a field "active" (bool) in pg_shadow and pg_group we could solve some basic problems such as banning 10000 groups at once more easily.
This is the only problem we have from time to time. If there is too much user rights stuff around administering will be more painful (see Oracle).


Regards,

Hans

--
Cybertec Geschwinde u Schoenig
Ludo-Hartmannplatz 1/14, A-1160 Vienna, Austria
Tel: +43/2952/30706; +43/664/233 90 75
www.cybertec.at, www.postgresql.at, kernel.cybertec.at



---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
   (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])

Reply via email to