Re: [PATCHES] Users/Groups -> Roles
| От | Tom Lane |
|---|---|
| Тема | Re: [PATCHES] Users/Groups -> Roles |
| Дата | |
| Msg-id | 9992.1120237396@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: [PATCHES] Users/Groups -> Roles (Bruce Momjian <pgman@candle.pha.pa.us>) |
| Ответы |
Re: [PATCHES] Users/Groups -> Roles
|
| Список | pgsql-hackers |
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Stupid question, but how do roles relate to our existing "groups"?
As committed, roles subsume both users and groups: a role that permits
login (rolcanlogin) acts as a user, and a role that has members is a
group. It is possible for the same role to do both things, though I'm
not sure that it's good security policy to set up a role that way.
The advantage over what we had is exactly that there isn't any
distinction, and thus groups can do everything users can and
vice versa:* groups can own objects* groups can contain other groups (we forbid loops though)
Also there is a notion of "admin option" for groups, which is like
"grant option" for privileges: you can designate certain members of
a group as being able to grant ownership in that group to others,
without having to make them superusers.
regards, tom lane
В списке pgsql-hackers по дате отправления: