That's exactly right, Alan. MS just implemented what has been worked out for a long time: that there are permissions and there are roles and that the two are distinct.
-----Original Message----- From: Alan McCollough [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 04, 2002 11:37 AM To: '[EMAIL PROTECTED]' Subject: RE: secure tag and permissions Sounds like permissions and roles in MS SQL 7. Users can belong to roles. Users can have permissions assigned to them. Roles can Grant/Deny/Revoke permissions. Generally you assign users to roles, but you can 'atomicly' (probably not healthy in the long run) grant/deny permissions directly to a user. Ya know, if somebody wanted to take the time to take a look at how the whole user/role permissions thing works in MS SQL, it could probably be reverse engineered, but i'm not sure if that would violate any laws. But the ideas itself could work fine. Instead of granting permission to access tables or run stored procs, you'd be granting permission to execute functions/processes within your FB app. > -----Original Message----- > From: hal helms [SMTP:[EMAIL PROTECTED]] > Sent: Thursday, April 04, 2002 4:47 AM > To: [EMAIL PROTECTED] > Subject: RE: secure tag and permissions > > There is a difference between permissions and roles. Permissions are > atomic. Someone has permission to read a document or not. Roles are > collections of permissions. The role of a WWRAdmin has the permissions > to read a document, write a document, and edit a document. A person > may have many roles. I belong to WWRAdmin and SuperUsers. This means > that anything that a WWRAdmin OR a SuperUser has permission for, *I* > have permission for. But it also means that I can be assigned > permission to create a document directly, without assigning me to a > role that has that permission. > > -----Original Message----- > From: BORKMAN Lee [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 04, 2002 2:28 AM > To: '[EMAIL PROTECTED]' > Subject: RE: secure tag and permissions > > > Hmm, I'm generally with John on this one. I use the names of Groups, > eg: > > IF you are a member of (WWRAdmin OR SuperUsers OR ITAudit) { > Run this bit of secured code > } else { > Call police > } > > Hal and I have argued about this on many occassions, but I think we > simply have a conceptual gap. Hal talks about permissions, I talk > about roles. We don't *connect*. It's a pradigm thing. > > I am *almost* sure that the two approaches are actually functionally > equivalent, but I know which I prefer ;-) > > See ya, > LeeBB > > > -----Original Message----- > From: hal helms [mailto:[EMAIL PROTECTED]] > > John is in rare form today, first urging people to add code to their > prototypes and now suggesting that we abandon Bit math because it's > too much effort? I suspect someone has kidnapped my friend, John, and > is making him type these crazy things. ... > > > IMPORTANT NOTICE: > This e-mail and any attachment to it is intended only to be read or > used by the named addressee. It is confidential and may contain > legally privileged information. No confidentiality or privilege is > waived or lost by any mistaken transmission to you. If you receive > this e-mail in error, please immediately delete it from your system > and notify the sender. You must not disclose, copy or use any part of > this e-mail if you are not the intended recipient. The RTA is not > responsible for any unauthorised alterations to this e-mail or attachment to it. > > > ==^================================================================ This email was sent to: [email protected] EASY UNSUBSCRIBE click here: http://topica.com/u/?bUrFMa.bV0Kx9 Or send an email to: [EMAIL PROTECTED] T O P I C A -- Register now to manage your mail! http://www.topica.com/partner/tag02/register ==^================================================================
