On 8/17/05, Premsun Choltanwanich <Premsun@nsasia.co.th> wrote:
>>
>> Dear All,
>>
>> I need to distribute my application that use PostgreSQL as database to
>> my customer. But I still have some questions in my mind on database
>> security. I understand that everybody who get my application database will
>> be have a full control permission on my database in case that PostgreSQL
>> already installed on their computer and they are an administrator on
>> PostgreSQL. So that mean data, structure and any ideas contain in database
>> will does not secure on this point. Is my understanding correct?
>>
>> What is the good way to make it all secure? Please advise.
>
> If it is "your" database, then I would not give them the database,
but merely offer the information in the database as a "service." This,
of course, can be implemented through the internet. That way, the rules
that govern which customers can access and see which pieces of data can
be implemented in the application itself so you wouldn't have give them
all the data and structure the customer doesn't need to see if the rules
governing how they access the database from the application are built
into the application itself, with possibly authentication credentials
stored in the database and the athentication mechanism implemented in
the application. The only other way I can imagine where you can get beyond, atleast
not showing the data they don't need to see, is querying the database
to filter out the data 'belonging' to the customer, and export that
filtered data to isolated tables comprising a new database that could
then be given to the customer, watered down to what's relevant to them. If it's "your" database then, hey, don't give
itto them. If it's
really "their" database then you wouldn't really have a problem with
giving them their data... But it's apparently not really "their"
database so keep it to yourself and offer access to the data as a service.
Ferindo
--
Ferindo Middleton
Chief Architect
Sleekcollar.com