Re: Advice needed on application/database authentication/authorization/auditing model

Hey Tony,

2010/10/27 Tony Cebzanov <tonyceb(at)andrew(dot)cmu(dot)edu>

> On 10/23/10 11:01 AM, Craig Ringer wrote:
> > Yep. As for not explicitly mentioning "lower" roles when granting a
> > higher role (ie "admin" isn't also a "user") - role inheritance.
>
> I knew about role inheritance, I just didn't know about the
> pg_has_role() function for determining if a user has a role. That's
> helpful, but I really don't want to be hitting the database with a
> pg_has_role() call for every time I want to check if a user should have
> access to a certain page or function in my application.
>
Why not? Performance? It's just one function call.

>
> Normally, when the user logs in, I'd cache their user info, and any
> roles they have, either directly or indirectly. But how can I do this
> if I'm not directly making administrators members of the other groups
> they inherit the rights of? In other words, is there a convenience
> function or view I can use to get a list of all roles the user has
> access to, both directly or indirectly?
>
Please, see
http://www.postgresql.org/docs/9.0/static/infoschema-applicable-roles.html

>
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>

--
// Dmitriy.