On 12/09/2011 05:46 AM, James B. Byrne wrote:The topic of RDBMS security has arisen in a discussion and, lacking evidence of my own, I am curious to discover just how frequently DBMS userids tied to specific individuals are used in production RDBMS based systems. I am also curious to know how often VIEWS are tied to individual user IDs known to the DBMS rather than to shared user IDs known only to an application through a configuration file. User IDs are often used to help secure multi-tenanted databases. I just wrote about this in response to another question, see: http://stackoverflow.com/questions/8432636/in-postgresql-are-partitions-or-multiple-databases-more-efficient/8439618#8439618 Individual user IDs are often useful the same way, via `SET ROLE' from an unpriveleged account a connection pool uses. Because of connection establishment overheads and the need to pool connections I'm generally reluctant to use setups where the app auths against the database with a given user ID and password directly. -- Craig Ringer |
