Another Security Question: User-based Roles vs. Application Business Rules

Forgive me if this is a basic and trivial (i.e., stupid) question. I haven't
been using postgres very long, and I'm not an experienced database system
developer.

I noticed that there is a very powerful group-based security feature in
postgres. Very nice - I like it alot. So one way to implement security
constraints is to define appropriate groups, assign memobership of users
to those groups, and then assign group-based permissions to the assorted
database objects (e.g., tables). Fantastic!

However, ... this requires each entity accessing the databse to be
defined as a user. In the context of a web application, this paradigm
doesn't necessarily make sense since there may be many unknown users.
Somehow those users must be mapped to a "role." I suppose you can map
all unknown users into the user "guest" and then define guest privileges
appropriately.

Is this a good approach? Is there better way to do this?  Is there an
altnerate way to consider?
--
%  Randy Yates                  % "My Shangri-la has gone away, fading like
%% Fuquay-Varina, NC            %  the Beatles on 'Hey Jude'"
%%% 919-577-9882                %
%%%% <yates@ieee.org>           % 'Shangri-La', *A New World Record*, ELO
http://home.earthlink.net/~yatescr