Subject Re: [ib-support] A Newbie Question
Author Doug Chamberlin
At 8/20/2001 05:46 AM (Monday), Wayne wrote:
>Am I right in saying the following, users are for the server but
>roles are database specific?
>
>This is what I want to achieve. Currently I have no roles at all but
>have decided to implement roles, security will be at database level
>as well as app level. At the app level, certain roles will access
>certain forms (menu Items).
>
>Currently users log in showing user name and password.
>
>1. I do not want the user to have to enter a role at log in time (In
>fact each user will only have one possible role and as far as I am
>concerned, need not even know what that role is)
>
>2. How can I ascertain the role immedietly after logging in so that I
>can make certain menu items invisible?
>
>3. How do I allocate a role to a user, is it via isc4.gdb or my own
>database?

Roles are server-wide, not specific to a database.

Users "assume" a role when they connect. A user can only assume one role
per connection. When they assume a role they acquire the privileges granted
to that role.

When a database connection is made the role to be assumed is chosen by the
client application and provided to the server. The actual human user need
not see or know the role but the specified role must come from the client
application. Therefore, the client should always known what role the user
assumed when they connected.

Users are granted the ability to assume a role via the normal GRANT/REVOKE
commands.

Roles are NOT the same as "groups" of users because while a single user can
be granted the right to assume several roles they are only allowed to
assume one per connection. If a user belongs to several groups and they
connect then they still belong to all those groups during that connection.

Hope this clears up things!