| Subject | Re: [Firebird-Architect] Re: Groups in Firebird |
|---|---|
| Author | Jim Starkey |
| Post date | 2004-10-25T18:19:52Z |
Juarez Rudsatz wrote:
on what an application may be doing. The filterset construct is a named
object that can be conveniently enabled/disabled as a unit
(Netfrastructure supports both SQL syntax and an API). Your "per
role/table" precludes this. It also precludes multiple filter elements
per table. If you look at my example, you will see at least a half
dozen that control content tables to enforce different policies.
Netfrastructure also supports the boolean expression
<role> IS ACTIVE ROLE
which allows a single filter element to handle an arbitrary number of
roles. Grouping filter elements into a named set, hence "filterset",
provides these capabilities.
[Non-text portions of this message have been removed]
>| The second part of the puzzle is row level access control. There areIt's very nice being able to turn various filters on and off depending
>| very few application that give client unrestricted read access to tables
>| within a database. Netfrasite controls access to most tables on a
>| per-row basis using "filtersets".
>
>Jim's profecy:
>
>GRANT <SELECT | INSERT | UPDATE | DELETE | ALL> ON <table> TO <rolename>
>WHERE <search_condition>
>
>
>
>
on what an application may be doing. The filterset construct is a named
object that can be conveniently enabled/disabled as a unit
(Netfrastructure supports both SQL syntax and an API). Your "per
role/table" precludes this. It also precludes multiple filter elements
per table. If you look at my example, you will see at least a half
dozen that control content tables to enforce different policies.
Netfrastructure also supports the boolean expression
<role> IS ACTIVE ROLE
which allows a single filter element to handle an arbitrary number of
roles. Grouping filter elements into a named set, hence "filterset",
provides these capabilities.
[Non-text portions of this message have been removed]