I considered that point as well, however, I still believe it is better not
to have my user accounts handled by the db - because:
1. Fewer database user accounts means fewer vectors for entry into the db.
2. Controlling access to the data via your app gives you more control over
what the end user can see and what they can do with the data.
3. You can still use the Postgres' built in access controls to limit what
your user can do in the db as an added layer of security.
- When I say 'your user' I mean the user you set up to give your web app
access to the database and not the individual web app users contained within
the database.
4. Correct me if I'm wrong, but I don't think that Postgres allows access
control at the column or row level, just at the table level. Controlling
access via your app will give you access control down to whatever level you
need.
5. As another poster mentioned, controlling access via your app allows you
the ability to move to other rdbms' more easily if you choose to do so at a
later date.
Anyway, that's my $.02.
Kevin
-----Original Message-----
From: pgsql-novice-owner@postgresql.org
[mailto:pgsql-novice-owner@postgresql.org] On Behalf Of Roland Giesler
Sent: Thursday, January 05, 2006 5:50 AM
To: pgsql-novice@postgresql.org
Subject: Re: [NOVICE] Best way to manage users
Kevin Crenshaw wrote:
> I think that the best solution - given the discussion thus
> far - is to have a separate pg user that the web app will
> use to access the database, and create a 'users' table in the
> db to store the web app usernames and passwords etc...
Well, using postgres users to authenticate web users has the advantage that
one can set up access priviledges in the database and in doing so limit the
bypassing of access security from other apps or the likes of PgAdmin.
Defining group roles and simply adding or removing users to a group, makes
the process relatively simple. Without this, one would have to define all
these things (table and column level access) manually and test for it in
your app, which makes things quite a bit more complex. Thinking this all
through, it seems that using PG users is till a good option if you need to
have different user profiles in an app.
Comments?
Roland
---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?
http://www.postgresql.org/docs/faq