Design consideration: One database user connection v.s. multi database user connection [closed]

Question

Closed. This question needs to be more focused. It is not currently accepting answers.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 8 years ago.

Improve this question

I used to connect database using one database user per web application.

Now for enterprice application, It seems that multi databse user connection is more safe than one user.

for example: hr dep. use hr db user account in connection and dev dep. use another.

what's the best choice?

Answer 1

You can have one database user account per user, such as "Frank", and "Jane".

You can setup roles as well, such as "HR", or "CSR", and assign your users to roles. You can't do this in MySQL but you can in MariaDB, though you seem to have Oracle too ;)

You would also have a user account for the web server, whose only right is to CONNECT and call SET ROLE. You are essentially delegating authentication to the web server. The web server might authenticate the user in the database, or perhaps using OAUTH.

Connect as the web server user, then call SET ROLE to the name of whichever user is logging in. If you are careful to reset everything in a connection, then you can still use pooling.

Then, a user can only do what you have allowed them for their roles.

This is also useful for auditing, as you can just put CURRENT_USER in an audit table.

Answer 2

If I understand your question correctly, it is generally preferable to set up various accounts so you can define access rights to various tables to the granularity you need.
For example data that belong to HR department should ideally be accessed by employees of the HR while possibly be viewed by higher management. Likewise data regarding customers should be accessed by customer service people etc