Re: [Gnumed-devel] Managing staff (user accounts)

[Karsten Hilbert]

On Tue, May 24, 2011 at 12:00:35PM -0700, Jim Busser wrote:

> >> So is any-doc not an actual postgres database user, just a value in a 
> >> table used by the GNUmed application?
> > 
> > No, it's the database user.
> 
> So a GNUmed level user account is, at the same time, also
> a Postgres level account, and the relevance of calling it
> (at the same time a GNUmed account) is because such accounts
> represent a subset *within* all of the various users who
> could exist across (potentially multiple) Postgres
> databases.

Not really.

At the postgres level there is database accounts with access
rights for certain databases, tables, schemata, functions,
etc. Those exist regardless of any application:

- any-doc
- gm-dbo
- ...

A GNUmed level staff account consists of three distinct parts:

- a GNUmed person (dem.identity)

- a GNUmed staff member (dem.staff) linked to the GNUmed person

- a PostgreSQL account associated with the GNUmed staff member



> Given that, at the same time, a separate Postgres schema

... database, but, yes ...

(databases are like books, while schemata are like chapters,
 and tables are pages, a cluster is a shelf)

> might get deployed on the same machine for something like
> LSMB (unless this is a bad idea)… would an LSMB schema
> need to live inside a separate cluster or could it live in
> the same (default) cluster as GNUmed?

An LSMB *schema* (chapter) could even live within the GNUmed
*database* (book). It shouldn't though because then one
would need to grant database access rights to LSMB users.
Still, tables would not be readable but the database would.

LSMB can (and most often would) live in a separate database
(book) within the same cluster (shelf).

> Does Postgres "track / manage" user accounts across schemas such that if 
> James T Kirk were granted a GNUmed account
> 
>       jaki
> 
> then and if Kirk insists that (and we accede to allow him) to also operate 
> the accounting program LSMB, would we register into LSMB the same account user
> 
>       jaki
> 
> so that Postgres can manage this user across both schemas, or must he be 
> assigned a different user account name in LSMB? IOW does Postgres not care, 
> and would it separately manage
> 
>       jaki (in GNUmed)
> 
> and
> 
>       jaki (in LSMB)
> 
> who might even be different persons despite that to set it up that way would 
> be inadvisable?

In PostgreSQL currency the database account "jaki" stays
"jaki". There cannot be two thereof within the same cluster.
It still depends on PostgreSQL database access rights
(pg_hba.conf) which databases/tables jaki can actually
access.

What *applications* like GNUmed or LSMB *associate* with
such accounts PostgreSQL careth not.

Hope this confused everything even further :-)

Karsten
-- 
GPG key ID E4071346 @ gpg-keyserver.de
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346