Peter Eisentraut <[EMAIL PROTECTED]> writes:
> Maybe this is too radical, but why not merge "user" and "group" into one
> animal? Both exist to bear privileges. The only difference is that
> groups can contain other bearers of privileges, but then a user is just a
> special case with zero members
Tom Lane writes:
> Hm. That seems to be another reason to unify usesysid and grosysid into
> a single unique something-id. Which probably implies unifying pg_shadow
> and pg_group into one table.
Maybe this is too radical, but why not merge "user" and "group" into one
animal? Both exist to bea
Oleg Bartunov writes:
> Just interesting if we could inplement some kind of RBAC
> (role based access control). Here is the reference:
> http://csrc.nist.gov/rbac/
Apparently the authors of the SQL standard have read this document,
because the role system in SQL looks exactly like what this docum
Christopher Kings-Lynne wrote:
1. Do we want to someday allow groups to have groups as members? (Seems
reasonable to me.)
I agree.
I think the other requirement of roles is that they are able to own objects.
ie. we need to allow groups to own objects.
This would also solve the prob
> "Christopher Kings-Lynne" <[EMAIL PROTECTED]> writes:
> > I think the other requirement of roles is that they are able to own
objects.
> > ie. we need to allow groups to own objects.
>
> Hm. That seems to be another reason to unify usesysid and grosysid into
> a single unique something-id. Whic
"Christopher Kings-Lynne" <[EMAIL PROTECTED]> writes:
> I think the other requirement of roles is that they are able to own objects.
> ie. we need to allow groups to own objects.
Hm. That seems to be another reason to unify usesysid and grosysid into
a single unique something-id. Which probably
> > 1. Do we want to someday allow groups to have groups as members? (Seems
> > reasonable to me.)
>
> I agree.
I think the other requirement of roles is that they are able to own objects.
ie. we need to allow groups to own objects.
Chris
---(end of broadcast)--
Tom Lane wrote:
Peter Eisentraut <[EMAIL PROTECTED]> writes:
... Therefore I ask whether everyone agrees
that groups and roles are basically equivalent concepts (and perhaps that
we might in the future strive to make groups more compatible with the
roles as defined in the SQL standard). Or does a
It would be nice to merge them, but with Unix having separate
namespaces, I am not sure it is a good idea to diverge from that.
---
Tom Lane wrote:
> Peter Eisentraut <[EMAIL PROTECTED]> writes:
> > Another issue is that use
Peter Eisentraut <[EMAIL PROTECTED]> writes:
> Another issue is that users and roles share a namespace. We might have to
> deal with that sometime, but it's not a problem as far as the information
> schema is concerned.
I've been thinking for awhile that the ACL code would be simplified if
userid
Hans-Jürgen Schönig writes:
> Imagine having groups having rights on dozens of tables. If these groups
> were assigned to a role it would be an easy task to block numerous
> groups from executing SQL at once. Currently a user has all rights of
> all groups he belongs to so it is damn hard to say t
Tom Lane writes:
> 1. Do we want to someday allow groups to have groups as members? (Seems
> reasonable to me.)
I agree.
> 2. Are there any other differences between groups and roles? (I'm not
> sure about this one.)
One other difference I found is that roles can be enabled or disabled (as
se
Just interesting if we could inplement some kind of RBAC
(role based access control). Here is the reference:
http://csrc.nist.gov/rbac/
We've used a lot simple (flat) RBAC built on top of postgresql, but
would like to see more powerful (with roles hierarchy) rbac built-in.
Oleg
On Sat, 7
Peter Eisentraut <[EMAIL PROTECTED]> writes:
> ... Therefore I ask whether everyone agrees
> that groups and roles are basically equivalent concepts (and perhaps that
> we might in the future strive to make groups more compatible with the
> roles as defined in the SQL standard). Or does anyone see
I'm looking at representing privileges granted to groups in the
information schema. For that purpose I would like to use the views that
the standard defines for "roles". Therefore I ask whether everyone agrees
that groups and roles are basically equivalent concepts (and perhaps that
we might in t
15 matches
Mail list logo
