Tom Lane wrote:
> So I think we don't have much choice but to implement theory #2; which
> is essentially the same thing I said earlier, ie, ACLs have to record
> the grantor of a privilege as being the role actually holding the grant
> option, not the role-member issuing the GRANT.
There are really two different considerations here.
The first is the meaning of the role relationships involved. With
respect to this, I'm in agreement that the recorded grantor of the
privilege should be the role actually holding the option.
But the second is auditing. It's useful to know which user/role
actually performed the grant in question, independent of the grant
relationships themselves.
These two are at odds with each other only if the system can record
only one of the two things. The auditing consideration really argues
for the implementation of an audit trail table/structure, if one
doesn't already exist (and if it already exists, then clearly the ACLs
should be storing the id of the role holding the grant, since the
audit structure will separately record the user/role issuing the
grant).
--
Kevin Brown kevin@sysexperts.com