For non-repudiation and other reasons, application access would normally
be done by unique userid for each user. As such, administration is much
easier to handle by role than by the potentially large number of users
involved.
Unfortunately, many applications are written to access the database
through one database userid, rather than one userid per user. This
defeats all sorts of capabilities built into the database - although
Real Application Security does restore some of that capability.
My opinion, not necessarily that of my employer
/Hans
On 2017-03-07 12:01 PM, Dominic Brooks wrote:
not granting privileges to application schemas directly only via roles?