Hi Tom,
The column or columns can just return null for the non-authorized user then there is not SQL semantics issue.
Garry
-----Original Message-----
From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
Sent: Wednesday, June 21, 2017 12:27 PM
To: Garry Chen <gc92@cornell.edu>
Cc: pgsql-novice@postgresql.org
Subject: Re: [NOVICE] Column level security question
Garry Chen <gc92@cornell.edu> writes:
> For example: a function that only allow deptno=30 or resp=10 to see column named 'sale' and 'card_num' and a policy
thatapplied to the table that can carry out the function. So only user in deptno 30 or responsibility level equal to
10can see column named 'sale' and 'card_num' without using role. Such that the security can be relied on the data
ownernot the DBA.
I think you'd be better off to think of a way to express this through grantable privileges, perhaps with some
intermediateviews that different user populations are allowed to access. It's really hard to think of a way that
columnscould be dynamically allowed or not allowed without breaking SQL semantics pretty thoroughly.
regards, tom lane