Re: Fooling with roles

A couple of things. Be very careful about how you assign the roles, you cannot do a "circular assign" (assign role1 to role2, assign role2 to role3, assign role3 to role1)

Also, there is an upper limit to the number of levels you can have when assigning roles... for some reason 64 sticks in my mind, but I don't know why... so design the roles and levels VERY carefully

>From: "Ron Rogers" <RROGERS_at_galottery.org>
>Reply-To: ORACLE-L_at_fatcity.com
>To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
>Subject: Re: Fooling with roles
>Date: Mon, 14 Aug 2000 06:56:02 -0800
>
>You can create the roles you need role1,role2,role3,etc and assigh
>different privileges to each role and then grant the roles to each other up
>the chain.
>As example;
>grant select any table to role1,
>grant delete any table to role2.
>grant role1 to role2.
>role1 can select but not delete and role2 can select and delete.
>Hope this helps.
>Ron Rogers
>DBA OCP
>Atl.GA
>
> >>> ismgr_at_pctc.com 08/11/00 08:01PM >>>
>I'm starting to paper-design our security layout for some new software. Our
>plan is to assign people levels of security, like AP(1-9), ISSUING(1-9),
>RECEIVABLES(1-9), HR(1-9), etc etc. There's nothing special about the range
>1-9, just seems intuitive.
>Each level will be a superset of the one below it, i.e. each level includes
>all the privileges of all levels below. People will have multiple
>clearances (because we're a small company), so someone might be an HR-2, an
>AR-4, an AP-1, etc.
>
>I'm planning to create a ROLE for each level of each security type. I have
>the following questions and concerns...
>
>1) Can I explicitly include a lower role in a higher role? For instance,
>can I define AR-2 as AR-1 + some new privileges? I don't mean conceptually,
>I mean can I actually define AR-2 in Oracle as AR-1 + some more stuff, such
>that if I add a privilege to AR-1, it automatically propagates up the
>chain?
>
>2) If not, I'll have to either explicitly assign increasingly larger sets
>of privileges to higher roles, or I'll have to assign a given role plus all
>below it to each user. Which way is more efficient? Or more to the point,
>which one is *less* efficient?
>
>---
>Dennis Taylor
>---
>The opinions expressed herein are mine. Get your own opinions!
>---
>--
>Author: Dennis Taylor
> INET: ismgr_at_pctc.com
>
>Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
>San Diego, California -- Public Internet access / Mailing Lists
>--------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from). You may
>also send the HELP command for other information (like subscribing).
>
>--
>Author: Ron Rogers
> INET: RROGERS_at_galottery.org
>
>Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
>San Diego, California -- Public Internet access / Mailing Lists
>--------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from). You may
>also send the HELP command for other information (like subscribing).