foobarmus wrote:
> I'm managing a programming team that's developing a web app in python.
> I'd like to be using Django but can't at the moment because one of the
> things we are doing is driving the application user into the database
> connection, so that we can implement access control at database level.
>
> I would like some opinions on this practice. I think it's important. I
> don't understand why frameworks like Django don't allow for it. It is
> not difficult to do.
>
The main reasons I can see on why people ignored using db-user based
ACL's are:
- They only offer functionality controlling access at the table/row
level. most ACLs are based on function and possibly column-level access.
eg. user joe can only authorize/access accounts in his sales region,
and on orders less than $5k can't be done in a DB-based ACL.
- Most larger organizations favor single sign on for their
authentication, which means control goes out of the database,.
- Not everything is in a database, and some things span multiple databases.
- Basic security can be achieved with 2 users. a public facing very
limited user with mainly read only access. and a high auth user on a
seperate port/webserver instance
with higher level access.
- It requires interaction with a DBA. This is a expensive and scarce
resource in most organizations. So people routed around them. (I've been
in several orgs where projects
are held up on DBAs who are needed to write sprocs instead of just doing
simple SQL).
- A large proportion of apps don't need ACLs.
Those are some of the reasons which come off the top of my head, I'm
sure there are more
> Is there some popular wisdom on this issue that I haven't been exposed
> to?
>
>
> >
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
