Re: Securing a db app - RFC

Berend, Shridhar, et al.,

see lower

----- Original Message -----
From: <btober@computer.org>
To: <shridhar@frodo.hserus.net>
Cc: <bartko.zoltan@pobox.sk>; <pgsql-general@postgresql.org>
Sent: Wednesday, June 02, 2004 2:28 PM
Subject: Re: [GENERAL] Securing a db app - RFC


>
> > On Wednesday 02 June 2004 02:04, BARTKO Zoltan wrote:
> >> I would appreciate anyone wiser than me to comment on the following:
> >>
> >> I am making an app for PostgreSQL (the server). The clients are
> >> connecting through the same single user. ...
> >>
> >> If I want to access a function (like do this or that with data), I
> >> use a stored function and pass the id# of the user plus all the
> >> necessary things. First, I check if the person is authorized to carry
> >> out the operation. if so, the operation is performed.
> >>
> >> There are users, who are administrators. Thus, they are allowed to do
> >> anything.
> >>
> > You can probably use set session authorization. Here are some brief
> > steps.
> >
> > 1. Convert all your users as postgresql database users
>
>
> If he's going to do this, why bother with hard-coding a single user id
> and password in the application -- why not have the user log in as their
> defined Postgresql user, and let the data base handle all the security
> and permission issues?
>

Now my  problem is that I have audit trails in the DB. I need to make it so
that the admin would just revive a deleted user any time the he wishes to do
so. Tell me if my comprehension is limited.

Thanks

Zoltan