> >My only concern is that the current implementation of Role, while SQL
> >compliant is almost completely useless. Any user can login with any
> >role -- so how can access to the SYSDBA functions be limited?... they
> >can't.
> >
> >The change of SYSDBA from a user to a "role" would be a good thing, only
> >if the implementation uses a security "group" metaphor to which a user
> >must be added as a member and not a property which is set as a value at
> >login.
> >
> >
> The SQL idea of role is substantially braindead. A more useful model is
> the ability to for a user with a role to grant that role, with optional
> grant rights, to another user. An even more useful model is allow a
> user to change his roles within a session. An still more useful role
> is to let a user activate or deactivate any roles from his set of
> available roles.
>
> For example, you, Sean, have the roles of Firebird admin, developer list
> curmudgeon, and boss of Nickolay. You can switch among those roles
> without going home, going to sleep, waking up, and driving back to
> work. On a good day, you can probably do things that requires the union
> of privileges from all three.

"groups" sound fine to me.

With regards,

Martijn Tonies
Database Workbench - tool for InterBase, Firebird, MySQL, Oracle & MS SQL
Server
Upscene Productions
http://www.upscene.com
Database development questions? Check the forum!
http://www.databasedevelopmentforum.com