user roles

Derek Atkins warlord@MIT.EDU
02 Jan 2001 18:09:47 -0500


David Merrill <dmerrill@lupercalia.net> writes:

> I'm planning to define permissions within the database itself. I want
> the database to be aware of these permissions so they can be enforced
> at that level. They could be exported to the server in any format you
> want, including the <name> <list of perms> you suggest.

I guess this implies that the each user must have a login to the
database?

> I am allowing for an arbitrary number of "role" records to be
> defined, each of which can be assigned any set of permissions. Each
> user is then assigned one or more of these roles, and inherits all the
> permissions provided by any of them.

That sounds eminently reasonable to me.  Indeed, I think there might
be two sets of "roles" (mind if I call them groupings?).  First, you
can have a set of groupings that bunch together a set of permissions,
e.g.  read, write (which implies read), all (which implies read,
write, admin, etc.  Second, you can have a set of groupings which
define roles, e.g. sysadmin, financial-manager, entry-twit, etc.  The
former list is most likely pre-defined by the system.  The latter set
of groups is user-defined and allows users to build groups of
users. :)

Indeed, when I say <name> above, I really mean "name of user or name
of group".

But it sounds like we're on the same page.  Wonderful.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available