Re: Label Security - Mailing list pgsql-sql

From Bruno Wolff III
Subject Re: Label Security
Date
Msg-id 20040127022416.GA14179@wolff.to
Whole thread Raw
In response to Re: Label Security  (James Taylor <jtx@hatesville.com>)
List pgsql-sql
On Mon, Jan 26, 2004 at 16:50:06 -0800, James Taylor <jtx@hatesville.com> wrote:
> Ok, so for example, say I add another column to the tables I want to 
> have the row-level security on called 'security'.  I would go ahead and 
> designate
> different security levels for each user, (ex. Jane security 1000, Bill 
> 2000, Joe 3000).  Then, if I only want X user with security 1000 to 
> view Y row, I set Y.security to 1000.
> Then, I give these users no access to the table, and create views for 
> EACH user saying something to the effect of "select * from z where 
> security=securitylevel", and grant access to the views only to the user 
> itself.

You can refer to current_user in the view. This allows you to use one
view for all users. Though you still have to have some information
mapping users to rows they can access in the database.

> Couldn't a user then go into the console themselves and create a view 
> giving them full access to the table?

You don't have to give them access to the table directly in order to
have the view work. When accessing a table through a view you have the
rights of the person who created the view.


pgsql-sql by date:

Previous
From: Tom Lane
Date:
Subject: Re: how to "enumerate" rows ?
Next
From: azwa@nc.com.my
Date:
Subject: Re: time series data