On 12/09/2011 05:46 AM, James B. Byrne wrote:
The topic of RDBMS security has arisen in a discussion
and, lacking evidence of my own, I am curious to discover
just how frequently DBMS userids tied to specific
individuals are used in production RDBMS based systems. I
am also curious to know how often VIEWS are tied to
individual user IDs known to the DBMS rather than to
shared user IDs known only to an application through a
configuration file.
User IDs are often used to help secure multi-tenanted databases. I just wrote about this in response to another question, see:
http://stackoverflow.com/questions/8432636/in-postgresql-are-partitions-or-multiple-databases-more-efficient/8439618#8439618 Individual user IDs are often useful the same way, via `SET ROLE' from an unpriveleged account a connection pool uses.
Because of connection establishment overheads and the need to pool connections I'm generally reluctant to use setups where the app auths against the database with a given user ID and password directly.
--
Craig Ringer
