Re: Another Security Question: User-based Roles vs. Application Business Rules

From: Thomas F(dot)O'Connell <tfo(at)alumni(dot)brown(dot)edu>
To: Randy Yates <yates(at)ieee(dot)org>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Another Security Question: User-based Roles vs. Application Business Rules
Date: 2004-09-11 07:48:20
Message-ID: F31B6E99-03C6-11D9-8609-000D93AE0944@alumni.brown.edu
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Presumably in the context of a web application, you've got control over
the contexts in which users exist and log in. People accessing publicly
accessible page, for instance, might connect as one user; people
accessing content via a login might connect as another.

Basically, for each role your web application creates in terms of types
of users, you can create a postgres user.

Often, it's as simple as creating a single postgres user that acts as a
proxy for the entire web application because, if you're the web
application designer as well, or can have authority over the
application in some way, you can know what sorts of permissions will be
required in the database.

-tfo

On Sep 7, 2004, at 11:39 PM, Randy Yates wrote:

> Forgive me if this is a basic and trivial (i.e., stupid) question. I
> haven't
> been using postgres very long, and I'm not an experienced database
> system
> developer.
>
> I noticed that there is a very powerful group-based security feature in
> postgres. Very nice - I like it alot. So one way to implement security
> constraints is to define appropriate groups, assign memobership of
> users
> to those groups, and then assign group-based permissions to the
> assorted
> database objects (e.g., tables). Fantastic!
>
> However, ... this requires each entity accessing the databse to be
> defined as a user. In the context of a web application, this paradigm
> doesn't necessarily make sense since there may be many unknown users.
> Somehow those users must be mapped to a "role." I suppose you can map
> all unknown users into the user "guest" and then define guest
> privileges
> appropriately.
>
> Is this a good approach? Is there better way to do this? Is there an
> altnerate way to consider?
> --
> % Randy Yates % "My Shangri-la has gone away, fading
> like
> %% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
> %%% 919-577-9882 %
> %%%% <yates(at)ieee(dot)org> % 'Shangri-La', *A New World Record*,
> ELO
> http://home.earthlink.net/~yatescr

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Ian Barwick 2004-09-11 07:59:45 Re: unicode and varchar
Previous Message Anton Nikiforov 2004-09-11 07:42:46 pg_shadow in a constraint