This feature requests comes on behalf of a customer.
It seems that currently roles allow one to only set permissions, but not to impose usage limits (like max connections, max queries per unit of time etc.). It would be quite helpful to have this capabilities also in roles, so that RBAC may become a truly powerful; without this, one still has to keep separate user accounts just to impose usage limits.
On the question of possible conflict between limits defined in a role and for the user himself, there are probably several options to chose from:
- Role always takes precedence.
- Role and user are superimposed and higher values take precedence.
- Role and user are superimposed and lower values take precedence.
On the question what to do with the currently opened connections, I guess we should keep it simple and not try to be retroactive, i.e. if the upon assumption of a role user gets lower max allowed connections that he currently has open, he should simply not be allowed to open any new ones. Similarly, any time-based limits (queries per hour etc.) should only be imposed forward in time, no need to try and look into what was before the role was assumed etc.