| Subject | Re: [Firebird-Architect] Groups in Firebird |
|---|---|
| Author | Geoff Worboys |
| Post date | 2004-10-22T00:13:44Z |
> Am I sending this msg to the right Firebird group?Pick one list and then see if anyone says to move it :-)
> I'd like to have "Groups of grants" in Firebird. I know anPersonnally I suspect architect is perhaps the correct place
> easy way of doing it. Who should I talk to make it happen?
to hold this discussion because the idea of using groups
as well as roles seems an architectural choice - details of
its implementation can then move to fb-devel.
Its interesting that you bring this up, because I am at this
time reviewing an application of mine which originally tried
to overlap the idea of groups with existing SQL roles. It
did not turn out very well and I am now trying to find ways
of doing it better.
I've never particularly liked SQL roles. Certainly the idea
of logging on with a particular role is sometimes useful, it
means a user only needs one password but can choose to access
the system with greater access. But to implement the syntax
such that access is managed through roles just makes it
incredibly difficult to manage permissions efficiently.
The correct way (IMO) would have been to implement groups as
the method of managing access, and then implement SQL roles
in terms of groups (this role is a member of these groups).
This would have made it much easier to manage.
But having given my opinion on how it should have been done,
we should look at the SQL standard and other implementations.
I notice that Oracle (from some doco I found on the net) seems
to support granting roles to roles. I am left wondering if
this is their way of working around the shortfall left by the
SQL standard. It does seem like a way that may allow the
concept of groups to be integrated into roles. eg:
Create a set of roles that are used like groups for mgmt of
permissions and THEN create additional roles (intended for
user assignment) to which you attach the "group-roles".
Perhaps this approach would be preferable to introducing a
totally non-standard object (groups) into the databse?
Comments?
--
Geoff Worboys
Telesis Computing