Re: [pgadmin-support] Separate Sessions?? (View data <-> Query tool) - Mailing list pgsql-general

>If I understand well you say that I could isolate data by using separate group roles for each firms and defining updatable views to work on.
yes. it's one way to do it.
As simple as this example is, you might as well make a seperate table for each firm. Then you wouldn't need to bother with views and rules.
The views get interesting when you want to allow one record to be selected by more than one firm.
Or if you want to be able to do stuff with all of the data in table1.
The disadvantage is that each firm has to use diffent code, they select from a different table. If you want to get really crazy you can add a username to table1 and make just one view that filters on applicable_roles (all the roles granted to the current_role). But that doesn't scale so well i guess.


>This sounds quite promissing.
Well, it only works as long as you use the database authentication (and authorisation) system. Meaning that your application logs in to the database with a seperate account for each user.
Works great for database clients like pgadmin, but it doesn't make you happy in PHP or standard webservice stuff.
In that case you don't need this kind of authorisation in the database layer, but you do it in a different application.

>The most strange thing for me is revoking all rights from table1 but I guess this is the heart of it... If I revoke all rights on table1 from the roles how will the user be able to modify the data of table1 trough the views?
> I read somewhere that when a user wants to select rows from a view the user needs to have the select permission for the undelaying table as well, and thats the case with updating or inserting too.