Hi,
SSPI Kerberos\NTLM authentication (Windows environment) currently only authenticates users, however, it does not authenticate a user against an LDAP \ Active Directory group.
This makes administration complex because an administrator would need to add\remove each user to\from an instance or if a user changes role then their permissions would need to be altered.
If you have many instances and many users then this becomes a long process which can be prone to error.
Industry best practices would be to define group(s) and assign permissions and roles to these and have SSPI authenticate users against these groups.
The responsibility of granting or altering permissions is at the LDAP \ Active Directory level which is its prime purpose.
This is something that other RDBMS can do and it would make PostgreSQL a far more attractive solution from that perspective.
Can you please look at making this possible?
This has been raised before (below) but nothing has been progressed further...
https://www.postgresql.org/message-id/20201016160029.GO19056%40tamriel.snowman.net
Many thanks.
John.
Disclaimer
***************************************************************************
PRIVATE & CONFIDENTIAL
This email may contain legally privileged, confidential information or copyright material of the sender or a third party. This email and any attachments are intended for the addressee(s) only. If you are not the intended recipient, please contact the sender by reply email and delete this email and any attachments immediately. You must not read, copy, use, distribute or disclose the contents of this email or any attachments without the consent of the sender or the relevant third party. The sender does not accept responsibility for any unauthorised use or reliance on the contents of this email including any attachments. Except as required by law, the sender does not represent or warrant that the integrity of this email has been maintained or that it is free from errors, viruses, interceptions or interference. Any views expressed by the sender in this email and any attachments are those of the individual sender, except where the sender specifically states them to be the views of a relevant third party.
This notice should not be removed from this email.
***************************************************************************