473,387 Members | 1,585 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > postgresql database > questions > another security question: user-based roles vs. applicationbusiness rules

Join Bytes to post your question to a community of 473,387 software developers and data experts.

Another Security Question: User-based Roles vs. ApplicationBusiness Rules

Forgive me if this is a basic and trivial (i.e., stupid) question. I haven't
been using postgres very long, and I'm not an experienced database system
developer.

I noticed that there is a very powerful group-based security feature in
postgres. Very nice - I like it alot. So one way to implement security
constraints is to define appropriate groups, assign memobership of users
to those groups, and then assign group-based permissions to the assorted
database objects (e.g., tables). Fantastic!

However, ... this requires each entity accessing the databse to be
defined as a user. In the context of a web application, this paradigm
doesn't necessarily make sense since there may be many unknown users.
Somehow those users must be mapped to a "role." I suppose you can map
all unknown users into the user "guest" and then define guest privileges
appropriately.

Is this a good approach? Is there better way to do this? Is there an
altnerate way to consider?
--
% Randy Yates % "My Shangri-la has gone away, fading like
%% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
%%% 919-577-9882 %
%%%% <ya***@ieee.org> % 'Shangri-La', *A New World Record*, ELO
http://home.earthlink.net/~yatescr
Nov 23 '05 #1
2 1544
I should have mentioned that it seems like the obvious alternative
is to perform security checking at the application layer, preventing
unauthorized access before even attempting to execute a query against
the database.

Comments?

--Randy
Randy Yates <ya***@ieee.org> writes:
Forgive me if this is a basic and trivial (i.e., stupid) question. I haven't
been using postgres very long, and I'm not an experienced database system
developer.

I noticed that there is a very powerful group-based security feature in
postgres. Very nice - I like it alot. So one way to implement security
constraints is to define appropriate groups, assign memobership of users
to those groups, and then assign group-based permissions to the assorted
database objects (e.g., tables). Fantastic!

However, ... this requires each entity accessing the databse to be
defined as a user. In the context of a web application, this paradigm
doesn't necessarily make sense since there may be many unknown users.
Somehow those users must be mapped to a "role." I suppose you can map
all unknown users into the user "guest" and then define guest privileges
appropriately.

Is this a good approach? Is there better way to do this? Is there an
altnerate way to consider?
--
% Randy Yates % "My Shangri-la has gone away, fading like
%% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
%%% 919-577-9882 %
%%%% <ya***@ieee.org> % 'Shangri-La', *A New World Record*, ELO
http://home.earthlink.net/~yatescr


--
% Randy Yates % "Watching all the days go by...
%% Fuquay-Varina, NC % Who are you and who am I?"
%%% 919-577-9882 % 'Mission (A World Record)',
%%%% <ya***@ieee.org> % *A New World Record*, ELO
http://home.earthlink.net/~yatescr
Nov 23 '05 #2
Presumably in the context of a web application, you've got control over
the contexts in which users exist and log in. People accessing publicly
accessible page, for instance, might connect as one user; people
accessing content via a login might connect as another.

Basically, for each role your web application creates in terms of types
of users, you can create a postgres user.

Often, it's as simple as creating a single postgres user that acts as a
proxy for the entire web application because, if you're the web
application designer as well, or can have authority over the
application in some way, you can know what sorts of permissions will be
required in the database.

-tfo

On Sep 7, 2004, at 11:39 PM, Randy Yates wrote:
Forgive me if this is a basic and trivial (i.e., stupid) question. I
haven't
been using postgres very long, and I'm not an experienced database
system
developer.

I noticed that there is a very powerful group-based security feature in
postgres. Very nice - I like it alot. So one way to implement security
constraints is to define appropriate groups, assign memobership of
users
to those groups, and then assign group-based permissions to the
assorted
database objects (e.g., tables). Fantastic!

However, ... this requires each entity accessing the databse to be
defined as a user. In the context of a web application, this paradigm
doesn't necessarily make sense since there may be many unknown users.
Somehow those users must be mapped to a "role." I suppose you can map
all unknown users into the user "guest" and then define guest
privileges
appropriately.

Is this a good approach? Is there better way to do this? Is there an
altnerate way to consider?
--
% Randy Yates % "My Shangri-la has gone away, fading
like
%% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
%%% 919-577-9882 %
%%%% <ya***@ieee.org> % 'Shangri-La', *A New World Record*,
ELO
http://home.earthlink.net/~yatescr

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to ma*******@postgresql.org)

Nov 23 '05 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

33
Another scripting language implemented into Python itself?
by: Quest Master | last post by:
I am interested in developing an application where the user has an ample amount of power to customize the application to their needs, and I feel this would best be accomplished if a scripting...
Python
12
Passing fields from one page to another
by: Patrick | last post by:
I have two ASP pages payment.asp: For customers to fill in payment/card details (pre-populating details if details submitted were invalid and user had to re-fill in details) confirmorder.asp:...
ASP / Active Server Pages
6
Posting to another page attribute: PostTargetUrl
by: anon | last post by:
Post Forwarding question...... For this control below, <asp:Button runat="server" PostTargetUrl="page2.aspx" /> The Attribute: PostTargetUrl="page2.aspx" Is this PostTargetUrl Attribute...
.NET Framework
11
"Home grown" Access Security
by: Will | last post by:
I am looking at using a table with user names, passwords and user rights, which I would administer. I have read a lot about the shortfalls of this and the lack of security but the customer does...
Microsoft Access / VBA
5
Access Security?
by: Greg Strong | last post by:
Hello All, What are the best ways to implement security for Access databases (i.e. ..MDB files)? I ask the question from a general perspective. Why? Well I had written a prototype database...
Microsoft Access / VBA
4
Posting to another page question
by: Ivan Demkovitch | last post by:
Hi! I have Portal application which is on http. However I like to do user authentification using SSL I like approach most sites use: They have <form name="loginForm" action="https://sss"...
ASP.NET
10
File.copy as another user
by: Steve Bostedor | last post by:
Does anyone have an example of how to file.copy as another user? Do I create a new thread as another user? How is that done? Thanks!
Visual Basic .NET
17
Cookie & Frame from another domain?
by: Bruno | last post by:
I have a feature that is hosted on a different domain from the primary one in a frame, and need to retain values in a cookie. example: A web page at one.com contains a frame which has a page...
PHP
1
security question(s)
by: nancy | last post by:
I am new to PHP but have done other programming can someone please hold my hand and slowly talk me through some simple security issues? I have seen in PHP documents that there are 'strip...
PHP
18
Is UserLevel Security Really Necessary?
by: Earl Anderson | last post by:
First, I feel somewhat embarrassed and apologetic that this post is lengthy, but in an effort to furnish sufficient information (as opposed to too little information) to you, I wanted to supply all...
Microsoft Access / VBA
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!