Oleg Bartunov writes:
Just interesting if we could inplement some kind of RBAC
(role based access control). Here is the reference:
http://csrc.nist.gov/rbac/
Apparently the authors of the SQL standard have read this document,
because the role system in SQL looks exactly like what this
Tom Lane writes:
Hm. That seems to be another reason to unify usesysid and grosysid into
a single unique something-id. Which probably implies unifying pg_shadow
and pg_group into one table.
Maybe this is too radical, but why not merge user and group into one
animal? Both exist to bear
Peter Eisentraut [EMAIL PROTECTED] writes:
Maybe this is too radical, but why not merge user and group into one
animal? Both exist to bear privileges. The only difference is that
groups can contain other bearers of privileges, but then a user is just a
special case with zero members. Once
Christopher Kings-Lynne wrote:
1. Do we want to someday allow groups to have groups as members? (Seems
reasonable to me.)
I agree.
I think the other requirement of roles is that they are able to own objects.
ie. we need to allow groups to own objects.
This would also solve the
1. Do we want to someday allow groups to have groups as members? (Seems
reasonable to me.)
I agree.
I think the other requirement of roles is that they are able to own objects.
ie. we need to allow groups to own objects.
Chris
---(end of
Christopher Kings-Lynne [EMAIL PROTECTED] writes:
I think the other requirement of roles is that they are able to own objects.
ie. we need to allow groups to own objects.
Hm. That seems to be another reason to unify usesysid and grosysid into
a single unique something-id. Which probably
Christopher Kings-Lynne [EMAIL PROTECTED] writes:
I think the other requirement of roles is that they are able to own
objects.
ie. we need to allow groups to own objects.
Hm. That seems to be another reason to unify usesysid and grosysid into
a single unique something-id. Which probably
Tom Lane wrote:
Peter Eisentraut [EMAIL PROTECTED] writes:
... Therefore I ask whether everyone agrees
that groups and roles are basically equivalent concepts (and perhaps that
we might in the future strive to make groups more compatible with the
roles as defined in the SQL standard). Or does
Tom Lane writes:
1. Do we want to someday allow groups to have groups as members? (Seems
reasonable to me.)
I agree.
2. Are there any other differences between groups and roles? (I'm not
sure about this one.)
One other difference I found is that roles can be enabled or disabled (as
Hans-Jürgen Schönig writes:
Imagine having groups having rights on dozens of tables. If these groups
were assigned to a role it would be an easy task to block numerous
groups from executing SQL at once. Currently a user has all rights of
all groups he belongs to so it is damn hard to say that
Peter Eisentraut [EMAIL PROTECTED] writes:
Another issue is that users and roles share a namespace. We might have to
deal with that sometime, but it's not a problem as far as the information
schema is concerned.
I've been thinking for awhile that the ACL code would be simplified if
userids
It would be nice to merge them, but with Unix having separate
namespaces, I am not sure it is a good idea to diverge from that.
---
Tom Lane wrote:
Peter Eisentraut [EMAIL PROTECTED] writes:
Another issue is that users
Peter Eisentraut [EMAIL PROTECTED] writes:
... Therefore I ask whether everyone agrees
that groups and roles are basically equivalent concepts (and perhaps that
we might in the future strive to make groups more compatible with the
roles as defined in the SQL standard). Or does anyone see that
Just interesting if we could inplement some kind of RBAC
(role based access control). Here is the reference:
http://csrc.nist.gov/rbac/
We've used a lot simple (flat) RBAC built on top of postgresql, but
would like to see more powerful (with roles hierarchy) rbac built-in.
Oleg
On Sat, 7
I'm looking at representing privileges granted to groups in the
information schema. For that purpose I would like to use the views that
the standard defines for roles. Therefore I ask whether everyone agrees
that groups and roles are basically equivalent concepts (and perhaps that
we might in
15 matches
Mail list logo
