Laurenz,
* Laurenz Albe (laurenz.albe@cybertec.at) wrote:
> Stephen Frost wrote:
> > > Don't have a database user for each application user, but use
> > > one database user for the application to connect to the database.
> >
> > This makes the application have to handle all of the authentication and
> > authorization for the user, which certainly requires not only more code
> > in the application but may also be more complex.
>
> True, if you give administrative application users the CREATEROLE privilege,
> you can map database users to application users and have the database handle
> application user management.
Yes, you could do that, but it really depends on the environment as to
if that makes sense. Not all systems should have self-subscription
capability; in many environments a user gets access to various resources
as part of 'on-boarding' at a company or similar and that sounds like
what would be appropriate here, where you'd actually have an admin or
another system (puppet, chef, et al) that would create the account.
Also, to be clear, the CREATEROLE privilege is more like 'create and
modify' roles and isn't something to be given out lightly.
> It is something I do not see often in the wild, but that does not mean
> it is a bad thing (unless you want the application to work with different DBMS).
This approach is something used much more frequently for internal
applications than for things like public websites.
Thanks!
Stephen