> >The "problem" that you think exists is very simply addressed by the

web

> >service authenticating a user using one connection (which has access

to

> >only the security data) and then have all other accesses done using
> >having the a new connection created. As such, the new connection

would

> >be in the users context and thus governed by their specific rights.
> >
> >
> That, at best, doubles the overhead.

To be clear, which overhead?

> And if a user has multiple roles
> (say a poster, moderator, and administrator), it doesn't work at all
> since no single role can give the user his full range of access

without

> the dba being required to define artificial roles to map the artesian
> product of actual roles. And to what end?

Actually, I'm not talking about such a model and I think we have gotten
our wire crossed.

So, I suggest that we come up with some 'straw man' examples to
illustrate our positions.

I will try to work on this a little later tonight, right now I have some
real work to get to.


Sean