Josh Berkus <josh@agliodbs.com> writes:
> Multilevel frameworks have concepts of data hiding and data substitution
> based on labels. That is, if a user doesn't have permissions on data,
> he's not merely supposed to be denied access to it, he's not even supposed
> to know that the data exists. In extreme cases (think military / CIA use)
> data at a lower security level should be substitited for the higher
> security level data which the user isn't allowed. Silently.
Yeah, that's what I keep hearing that the spooks think they want.
I can't imagine how it would play nice with SQL-standard integrity
constraints. Data that apparently violates a foreign-key constraint,
for example, would give someone a pretty good clue that there's
something there he's not being allowed to see.
regards, tom lane
