| Subject | Re: [IB-Architect] Re: Some thoughts on IB and security |
|---|---|
| Author | Bill Karwin |
| Post date | 2000-04-28T19:49:39Z |
---- Original Message -----
From: "Jason Wharton" <jwharton@...>
that there are situations in which you _don't_ want every user in your NT
Domain or NDS directory to implicitly have a login to the database.
Therefore it'd be good for integration with OS security to be an option, but
not mandatory.
environment that supports multiple directory services.
groups of users as we know them from OS security. I think we should leave
alone the implementation of ROLES, in order to conform to SQL.
That does not preclude us from adding another mechanism for groups, such
that a user who belongs to a group inherits all privileges assigned to that
group. I think this would be a good addition, one that users have been
asking for in InterBase for years. But this is not the same thing as SQL
ROLES.
doesn't necessarily affect the implementation of authentication. I suggest
that we discuss it in a different thread.
Bill Karwin
From: "Jason Wharton" <jwharton@...>
> >I support Jim's plan for plug-in modules that implement security. (InYes, that's the idea.
> >fact, I proposed it myself as a future direction for InterBase a couple
> >of years ago.)
>
> Could this make it possible to hook into each OS's security interface?
> I getThis would be convenient for many situations. However, one could also argue
> heckled a lot by our WIN NT LAN administrator who thinks that the database
> security should be aware of the NT users and groups and be able to have
> permissions based on that.
that there are situations in which you _don't_ want every user in your NT
Domain or NDS directory to implicitly have a login to the database.
Therefore it'd be good for integration with OS security to be an option, but
not mandatory.
> I'd like to see it designed such that looking at the ISC4.GDB is thedefault
> behavior and that other plug-ins could be used to look elsewhere for theirYes, that's the idea. Or even multiple plugins... for instance, in an
> security credentials. Each OS could have its own plugin to hook into its
> security system.
environment that supports multiple directory services.
> It would also be nice to have a certain amount of integration for ROLESand
> GRANTS, etc. so that these things could also be controlled at the LANROLES in particular are defined by SQL. ROLES are groups of privileges, not
> administration level rather than separately at the DBA level.
groups of users as we know them from OS security. I think we should leave
alone the implementation of ROLES, in order to conform to SQL.
That does not preclude us from adding another mechanism for groups, such
that a user who belongs to a group inherits all privileges assigned to that
group. I think this would be a good addition, one that users have been
asking for in InterBase for years. But this is not the same thing as SQL
ROLES.
> I'd also like to see something similar for database aliases.Yeah, we discussed this some weeks ago. I'd like to see this too. It
doesn't necessarily affect the implementation of authentication. I suggest
that we discuss it in a different thread.
Bill Karwin