RE: Schema for new Turbine security DB

Wed, 29 Nov 2000 10:14:40 -0800 

I am in agreement here. As long as the sole reason for the group is to
defined common lists of roles, then there should be a USER_GROUP table and a
GROUP_ROLE table.

However, if the groups are defined not for permissions (i.e., security), but
for the physical grouping of people, then you would need a USER_GROUP table
and a USER_ROLE table. I would argue that, in the latter case, there should
be a DEPARTMENT table for physical people-groupings, and one should use
groups to aggregate roles. 

If a user needs more permissions, s/he should be added to another group or a
new group may need to be added. There could be a good argument for a
USER_ROLE table for finer-granularity of control.

Cheers.
Ben

> -----Original Message-----
> From: Diethelm Guallar, Gonzalo [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 29, 2000 12:59 PM
> To: 'Turbine'
> Subject: Schema for new Turbine security DB
> 
> 
> The new Turbine security DB has two relation tables:
> 
> * ROLE_PERMISSION: what permissions are in a role.
> * USER_GROUP_ROLE: what roles a given user has as
>   a member of a given group.
> 
> My gut tells me there could be one other relation
> that might be useful:
> 
> * GROUP_ROLE: what roles a group has, and therefore,
>   what roles any member of that group inherits.
> 
> The motivation for this would be: say you realize
> your Administrators group now has to have the role
> DB_Maintenance, which includes several permissions
> to do DB maintenance. Right now, you would have to
> issue an insert that would add multiple rows to
> USER_GROUP_ROLE, one per each user of the Administrators
> group; with GROUP_ROLE, you would only add one row.
> 
> I also see room for "inconsistencies", where
> a given user in a group may have or lack roles that
> other users in the same group lack or have (but this
> may be so by design).
> 
> So, I guess the question behind all this is, what is
> the rationale for USER_GROUP_ROLE? Would there be
> room for GROUP_ROLE? Should one replace the other?
> 
> Thanks,
> 
> 
> -- 
> Gonzalo A. Diethelm
> [EMAIL PROTECTED]
> 
> 
> ------------------------------------------------------------
> To subscribe:        [EMAIL PROTECTED]
> To unsubscribe:      [EMAIL PROTECTED]
> Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
> Problems?:           [EMAIL PROTECTED]
> 


------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?:           [EMAIL PROTECTED]

Reply via email to