On 12/14/2015 09:55 AM, Benjamin Smith wrote:
> Is there a way to set PG field-level read permissions so that a deny doesn't
> cause the query to bomb, but the fields for which permission is denied to be
> nullified?
>
> In our web-based app, we have a request to implement granular permissions:
> table/field level permissions. EG: userX can't read customers.socialsecurity in
> any circumstance. We'd like to implement DB-level permissions; so far, we've
> been using an ORM to manage CRUD permissions.
The new Row Level Security only extends down to the row AFAIK, so how
are you doing this or planning on doing this?
>
> This is old hat, but our system has a large number of complex queries that
> immediately break if *any* field permission fails. So, implementing this for
> customers could be *very* painful....
>
> Is that there is a way to let the query succeed, but nullify any fields where
> read permissions fail? (crossing fingers) We'd be watching the PG logs to
> identify problem queries in this case.
>
>
--
Adrian Klaver
adrian.klaver@aklaver.com
