Subject Re: FB security - Roles vs Groups
Author johnson_dave2003
All of these objections fail to recognize that an LDAP like model can
represent the crude security model of SQL92. That level of security
represents a lowest denominator that in practice amounts to no
security, but as a standard it can (must) be supported.

Given that the ROLE must be represented as as set of references, not a
single entity reference, the support of the "if ROLE = 'BOSS'" type
clauses can be maintained through a number of mechanisms.

Mechanism 1:
* During database migration, recognize this construct and replace it
with the operation "if ROLE contains 'BOSS'".

Mechanism 2:
* provide a configuration switch at startup that says "use SQL92
not-quite security" or "use some real security". In the case of SQL92
security, only check the first entry of the ROLE set.

Mechanism 3:
* support both approaches, with the existence of an LDAP Like security
(or any installed security PAM) overriding SQL92 security.

if (! securityPAMIsInstalled())
authorizeViaSQL92 ()