To All,<br />I would like to propose (and volunteer to do if its considered to be a decent idea) to extend the mapping
ofusers to roles in the pg_ident.conf to incorporate groups. This would allow any user who belonged to a particular
groupin certain authentication systems to be mapped to a role using the existing regular expression support that exists
today.This would also allow the offloading of the creation of new users for the system to an external mechanism instead
ofneeding to create a new role in the database for each person. At the same time by allowing the mapping to match based
offof groups the offloading of authentication would still allow for restrictions of who could connect to the database.
<br/><br />A second enhancement that would be useful would be despite what role the database logs the user in as the
serversets a read only session variable similar to application_name could store the system username or username plus
groupsfor use in audit triggers.<br /><br />For example:<br />User Bob is a sales clerk and needs to login to the
database...the database client uses his existing login credentials (sspi, gssapi, kerberos or pam) and attempts
authenticationto the database. The database takes the incoming user name appends the groups Bob belongs to and finds a
usermap that maps him to a generic role for access privileges into the database. <br /><br clear="all" />Changes
Needed:<br/>- Add support for an option "append_groups" to the sspi, gssapi, kerberos and pam authentication methods in
pg_hba.conf<br/>- After the authentication process if append_groups is enabled, use the apis for those authentication
methodsto append all groups for the user in the following format<br /> - - USERNAME ->
USERNAME:[GROUP][,GROUP]...<br/>- Add another session variable similar to session_user and current_user that stores the
username+ group that cannot be reset without superuser privileges.<br /><br />How does this proposal sound?<br /> --
<br/>Christopher Hotchkiss "chotchki"<br /><a href="http://www.chotchki.us"
target="_blank">http://www.chotchki.us</a><br/>