> > While it makes sense for someone to activate and deactivate a
> > particularly role, does it makes sense to temporarily leave a group?
>
> Nope.
>
>
> > What sort of privilege would be required to register another user for
> a
> > group?
>
> I think the answer to this question starts with thinking about db
> management functions at there most basic level and then creating system
> defined groups which encapsulates those functions (i.e. "Schema Owner",
> "Backup Operator", "Security Admin"...) from there the database owner
> (the user who creates the database -- who automatically becomes a member
> to all those groups) can then add to rights/groups to other users...
>
> Some db functions will need to be defined as server 'level' rights (i.e.
> 'Create Database', 'Restore Operator'). Where will this data be stored?
> How will this be managed?
>
> Not only would the groups object encompass db management rights, but
> also object rights, just as the current users and roles structures
> provide, with the benefit of providing the logged in user implicit
> access to all objects defined via the group rights without needing to
> change role/re-login.

Exactly. Given that "role" is implemented according to the standard,
leave it be. A user could always be part of a "group" and inherited all
privileges for that "group". It could be assigned to multiple groups and
get all privileges after login, without the need to specify the groupname
on login or switch groups.

With regards,

Martijn Tonies
Database Workbench - tool for InterBase, Firebird, MySQL, Oracle & MS SQL
Server
Upscene Productions
http://www.upscene.com
Database development questions? Check the forum!
http://www.databasedevelopmentforum.com