>
To put it another way, keeping the two sets of names distinct is incrementally more complex to manage. Which might be worth it if there really is any gain. Is this a "best practice," or is it really a manifestation of its closely-related cousin, the "silly practice?" :)
It's ultimately up to your use case. I generate my auth maps using CM tools (i.e. Ansible) so the management overhead is minimal. My web applications all run as the "deploy" (OS) user, but each have separate DB users ("baltar", "caprica", "leoben", etc.) and those DB users only have access on the DBs they need to.
From a security perspective, any application compromise (say, a bug in an SQL driver/lib) will therefore only affect the databases that user can access, and not all the databases the OS user can access (which could be many!).
