Message-Id: <10586.114424@fatcity.com> From: Dennis Taylor Date: Fri, 11 Aug 2000 15:01:04 -0700 Subject: Fooling with roles I'm starting to paper-design our security layout for some new software. Our plan is to assign people levels of security, like AP(1-9), ISSUING(1-9), RECEIVABLES(1-9), HR(1-9), etc etc. There's nothing special about the range 1-9, just seems intuitive. Each level will be a superset of the one below it, i.e. each level includes all the privileges of all levels below. People will have multiple clearances (because we're a small company), so someone might be an HR-2, an AR-4, an AP-1, etc. I'm planning to create a ROLE for each level of each security type. I have the following questions and concerns... 1) Can I explicitly include a lower role in a higher role? For instance, can I define AR-2 as AR-1 + some new privileges? I don't mean conceptually, I mean can I actually define AR-2 in Oracle as AR-1 + some more stuff, such that if I add a privilege to AR-1, it automatically propagates up the chain? 2) If not, I'll have to either explicitly assign increasingly larger sets of privileges to higher roles, or I'll have to assign a given role plus all below it to each user. Which way is more efficient? Or more to the point, which one is *less* efficient? --- Dennis Taylor --- The opinions expressed herein are mine. Get your own opinions!