On Wed, 2 May 2001 pgsql@itsbruce.uklinux.net wrote:
> I'm writing the database backend to a web application. Being paranoid I
> want to limit the damage/exposure that the application can do.
>
> One way would be to create a database user for each application user
> (i.e. login name) and to create views for each user, not giving them any
> permissions on sensitive tables but only letting them see their own data
> through the views. How would that affect the database as the number of
> users climbs through the hundreds to the thousands? Would the thousands
> of views slow the database down? Is there an upper limit to the number
> of views?
Instead of making a kajillion views, could you use a RULE that
checks their identity against some field, and either does the right thing
or does nothing, depending on this info?
It would seem *MUCH* easier to maintain.
--
Joel Burton <jburton@scw.org>
Director of Information Systems, Support Center of Washington
