| Subject | Re: issue with granting roles |
|---|---|
| Author | C.J. |
| Post date | 2006-04-18T15:34:14Z |
--- In firebird-support@yahoogroups.com, Helen Borrie <helebor@...>
wrote:
My mistake was in assuming that granting a role to a user would
limit a user on login with just the login of; the path to the
database, the user name and the user password. Once logged in the
database server would "understand" 'Bob', has restricted access as
defined by the role 'mgr'. In fact, Firebird will default the user
to Public, when the role is ommited during login.
This behaviour is different than what I was expecting, thanks alot
Helen!
I guess I should buy your book now ;^P
wrote:
>as
> At 11:56 PM 18/04/2006, you wrote:
>
> > > >
> > > >So now I'm wondering, are roles broken? or have I missed
> >something?
> > >
> > > You didn't mention that BOB's login structure included the role
> > > name. Is this what you missed?
> > >
> > > ./heLen
> > >
> >
> >The PHP function ibase_pconnect() list role as an optional value
> >shown here.a
> >====================================
> >resource ibase_pconnect ( [string database [, string username [,
> >string password [, string charset [, int buffers [, int dialect [,
> >string role [, int sync]]]]]]]] )
> >------------------------------------
> >
> >is this required to enable "Bob's" role of mgr?
>
> Y E S. Y E S. Y E S. Y E S. Y E S. Y E S. Y E S.
>
> >If this is so, then
> >whats the purpose of granting a role to Bob?
>
> A role is "a package of privileges". So, the purpose of granting
> role to Bob is to make that package of privileges available to Bob.at
>
> >So he can have more than one role, maybe?
>
> Not usually, although it is possible for the same user to log in
> different times using different roles.the
>
> I think your mistake is in assuming that roles form something like
> user groups. If so, you're not the first. :-)
>
> A simple way to think about the login is:
>
> -- with the username and password the user gets authenticated on
> server but has no privileges in the database.the
> -- when you add the role, you add all the necessary privileges in
> database.individual
>
> The alternative to using roles is a complete birdsnest of
> user privileges that can very easily get right out of control.OK, got it Helen!
>
> ./heLen
>
My mistake was in assuming that granting a role to a user would
limit a user on login with just the login of; the path to the
database, the user name and the user password. Once logged in the
database server would "understand" 'Bob', has restricted access as
defined by the role 'mgr'. In fact, Firebird will default the user
to Public, when the role is ommited during login.
This behaviour is different than what I was expecting, thanks alot
Helen!
I guess I should buy your book now ;^P