user roles
Derek Atkins
warlord@MIT.EDU
03 Jan 2001 08:59:21 -0500
David Merrill <dmerrill@lupercalia.net> writes:
> > I guess this implies that the each user must have a login to the
> > database?
>
> Correct. This is a requirement anyway to have complete, end-to-end
> audit trails, and that's important.
There are other ways of doing this... If we have a "trusted security
server" tied to the database, then the security server would login
itself and then supply the audit trail information from its own user
authentication. For example, I don't think any SQL server accepts
Kerberos Authentication, but I'd like to support that.
> That's exactly it. I chose the term "role" because it implies with it
> a business role, e.g., administrator, manager or data entry clerk. Now
> who would like to take a stab at determining the default roles and
> their default permissions? That would be a good exercise to fine tune
> the set of permissions we configure.
I'm not convinced that we really do need to define (many) default
roles. I do believe we need to allow users to define new roles, and
we need to allow users to edit the membership of existing roles.
(Does this imply that roles need ACLs too?)
> I wonder how deeply these messages can nest before mutt throws up.
> Hmmmm, we may find out soon. ;-p
Hmm.. Recursive message threading ;)
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available