| Subject | Re: [Firebird-Architect] User name SYSDBA |
|---|---|
| Author | Jim Starkey |
| Post date | 2005-08-03T20:31:36Z |
Leyne, Sean wrote:
the ability to for a user with a role to grant that role, with optional
grant rights, to another user. An even more useful model is allow a
user to change his roles within a session. An still more useful role
is to let a user activate or deactivate any roles from his set of
available roles.
For example, you, Sean, have the roles of Firebird admin, developer list
curmudgeon, and boss of Nickolay. You can switch among those roles
without going home, going to sleep, waking up, and driving back to
work. On a good day, you can probably do things that requires the union
of privileges from all three.
--
Jim Starkey
Netfrastructure, Inc.
978 526-1376
>My only concern is that the current implementation of Role, while SQLThe SQL idea of role is substantially braindead. A more useful model is
>compliant is almost completely useless. Any user can login with any
>role -- so how can access to the SYSDBA functions be limited?... they
>can't.
>
>The change of SYSDBA from a user to a "role" would be a good thing, only
>if the implementation uses a security "group" metaphor to which a user
>must be added as a member and not a property which is set as a value at
>login.
>
>
the ability to for a user with a role to grant that role, with optional
grant rights, to another user. An even more useful model is allow a
user to change his roles within a session. An still more useful role
is to let a user activate or deactivate any roles from his set of
available roles.
For example, you, Sean, have the roles of Firebird admin, developer list
curmudgeon, and boss of Nickolay. You can switch among those roles
without going home, going to sleep, waking up, and driving back to
work. On a good day, you can probably do things that requires the union
of privileges from all three.
--
Jim Starkey
Netfrastructure, Inc.
978 526-1376