| Subject | Re: [ib-support] ROLES / LOGIN , control access to GUI user rights. |
|---|---|
| Author | Helen Borrie |
| Post date | 2002-11-16T11:23:47Z |
At 12:56 PM 16-11-02 +0200, you wrote:
application.
a database. If the (non-SYSDBA) user creates a database, that user will be
the Owner of the database and of any objects which that user creates. The
server doesn't know about ROLES - these are specific to the database in
which they are created.
Any user on the server can log in to any database on the server but, except
for the Owner and SYSDBA, that user will not be able to see or do anything
unless it is given privileges to specific objects.
ALL privileges) to a specific object. This happens inside the database,
not at server level.
some privileges to that role for some data objects. Next, you grant that
role to a user. After that, the user will have the privileges of that
role. So don't grant a role to a user that you don't want to have the
privileges of that role.
privileges: they are not "aware" of your application at all. If your
application accesses a database object for which the role and/or user which
were used to connect the application to the db do not have the appropriate
privileges, a database exception will occur.
However, your *application* is aware of the role and user that are
connected; and a connection can only involve one role and one user; so
you could easily devise ways for your app code to use these connection
attributes to condition things like whether a button is enabled, etc., and
pre-empt permissions errors.
if you need to study this a bit...see the ibdocs and look for some papers
at www.ibphoenix.com
One way you can use SQL privileges is to create views or sel. SPs that
provide a restricted view of a table or group of tables and grant
permissions to roles or users to those, while withholding permissions for
the underlying tables.
heLen
>I have to control access to various parts of my program.No. The database and the database server don't even know about your
>How does one do this ? ...
>
>Could one use ROLES / USER / PASSWORD logins to
>restrict access to the GUI ?
application.
>What will happen if a USER logs in with a ROLE that is not assigened toUnless the user is SYSDBA, it has no rights on the server except to create
>the user?
a database. If the (non-SYSDBA) user creates a database, that user will be
the Owner of the database and of any objects which that user creates. The
server doesn't know about ROLES - these are specific to the database in
which they are created.
Any user on the server can log in to any database on the server but, except
for the Owner and SYSDBA, that user will not be able to see or do anything
unless it is given privileges to specific objects.
>My guess is that an Excpetion will be thrown if data isData is not assigned to a role. A role is granted specific privileges (or
>accessed that is not assigned to that role.
ALL privileges) to a specific object. This happens inside the database,
not at server level.
>What will hapen if a USER logs in via a ROLE that is not assigned toHere's how it works. You create a role in the database. Next, you grant
>that USER ? How does one prevent this ?
some privileges to that role for some data objects. Next, you grant that
role to a user. After that, the user will have the privileges of that
role. So don't grant a role to a user that you don't want to have the
privileges of that role.
>Most of the Buttons in my applciation is controled via an ActionList soThat's not quite how it works. ROLE and USER apply to database
>base apon the ROLE I could disable/enable the appropriate Actions.
>Can this be done, How does one determine the ROLE that is assinged to
>the USER ?
privileges: they are not "aware" of your application at all. If your
application accesses a database object for which the role and/or user which
were used to connect the application to the db do not have the appropriate
privileges, a database exception will occur.
However, your *application* is aware of the role and user that are
connected; and a connection can only involve one role and one user; so
you could easily devise ways for your app code to use these connection
attributes to condition things like whether a button is enabled, etc., and
pre-empt permissions errors.
>How does one use ROLES to control access, or is it notIt is exactly intended to control access to database objects. It sounds as
>intended for such use ?
if you need to study this a bit...see the ibdocs and look for some papers
at www.ibphoenix.com
One way you can use SQL privileges is to create views or sel. SPs that
provide a restricted view of a table or group of tables and grant
permissions to roles or users to those, while withholding permissions for
the underlying tables.
heLen