user roles
Derek Atkins
warlord@MIT.EDU
02 Jan 2001 18:09:47 -0500
David Merrill <dmerrill@lupercalia.net> writes:
> I'm planning to define permissions within the database itself. I want
> the database to be aware of these permissions so they can be enforced
> at that level. They could be exported to the server in any format you
> want, including the <name> <list of perms> you suggest.
I guess this implies that the each user must have a login to the
database?
> I am allowing for an arbitrary number of "role" records to be
> defined, each of which can be assigned any set of permissions. Each
> user is then assigned one or more of these roles, and inherits all the
> permissions provided by any of them.
That sounds eminently reasonable to me. Indeed, I think there might
be two sets of "roles" (mind if I call them groupings?). First, you
can have a set of groupings that bunch together a set of permissions,
e.g. read, write (which implies read), all (which implies read,
write, admin, etc. Second, you can have a set of groupings which
define roles, e.g. sysadmin, financial-manager, entry-twit, etc. The
former list is most likely pre-defined by the system. The latter set
of groups is user-defined and allows users to build groups of
users. :)
Indeed, when I say <name> above, I really mean "name of user or name
of group".
But it sounds like we're on the same page. Wonderful.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available