Thread: Help with ODBC problem

Help with ODBC problem

From
"Chris Hoover"
Date:
I am in need of some help.  We are looking at rolling out a reporting
tool to our users and need to make sure that the users only see the
objects we give them access to.

To start testing, I have created a new user and group to test with.  I
then created a view to use and gave the group select access to this view
only and put the user into this group.  However, when we pull up the
odbc connection from a client machine (windows), we see all tables
listed and then the single view.  While this test user can not select
from the tables, he can see them.  This is a problem for us since we do
not want our end users to see any portion of our actual schema.

How do I get the odbc/db configured so that the only odbc objects the
end user sees are the views we give them access?

Thanks,

Chris



Re: Help with ODBC problem

From
Jeff Eckermann
Date:
--- Chris Hoover <revoohc@sermonaudio.com> wrote:
> I am in need of some help.  We are looking at
> rolling out a reporting
> tool to our users and need to make sure that the
> users only see the
> objects we give them access to.
>
> To start testing, I have created a new user and
> group to test with.  I
> then created a view to use and gave the group select
> access to this view
> only and put the user into this group.  However,
> when we pull up the
> odbc connection from a client machine (windows), we
> see all tables
> listed and then the single view.  While this test
> user can not select
> from the tables, he can see them.  This is a problem
> for us since we do
> not want our end users to see any portion of our
> actual schema.
>
> How do I get the odbc/db configured so that the only
> odbc objects the
> end user sees are the views we give them access?
>

Create a separate schema for each user, or class of
users, that you want to have limited access.  Put all
of the objects that you want them to have access to
into the relevant schema(s).  Then, in the "connect
settings" box in the DSN, enter the command "set
search_path to myschema, public;" (or leave out public
if you want).  If you are connecting using code,
rather than a DSN, then just issue that command
directly after connecting.

That will restrict users to seeing only those objects
which you want them to see.  If you revoke their
access permissions to the public schema, and only
grant permissions on the one special schema, plus
tables etc., then you will lock the whole thing up
tight.

> Thanks,
>
> Chris
>
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 7: don't forget to increase your free space map
settings





__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

Re: Help with ODBC problem

From
"Chris Hoover"
Date:
Jeff Eckermann wrote:

> Create a separate schema for each user, or class of
>
>users, that you want to have limited access.  Put all
>of the objects that you want them to have access to
>into the relevant schema(s).  Then, in the "connect
>settings" box in the DSN, enter the command "set
>search_path to myschema, public;" (or leave out public
>if you want).  If you are connecting using code,
>rather than a DSN, then just issue that command
>directly after connecting.
>
>That will restrict users to seeing only those objects
>which you want them to see.  If you revoke their
>access permissions to the public schema, and only
>grant permissions on the one special schema, plus
>tables etc., then you will lock the whole thing up
>tight.
>
>
Ok, I created a new schema and put my view into it giving my reporting
group access to this view only.  I also set the search_path in the odbc
driver and as an alter user, but I am still seeing a full db catalog
when I connect to my db via odbc. (link trying to link a table in Access).

Any further ideas?  I really need the end users to only see the specific
views/tables I grant them access to when they are an area where they are
able to choose tables/views to view.

Thanks,

Chris





Re: Help with ODBC problem

From
Dave Page
Date:


From: Chris Hoover
Sent: Fri 6/4/2004 9:39 PM
To: Jeff Eckermann
Cc: pgsql-odbc@postgresql.org
Subject: Re: [ODBC] Help with ODBC problem
Ok, I created a new schema and put my view into it giving my reporting 
group access to this view only.  I also set the search_path in the odbc 
driver and as an alter user, but I am still seeing a full db catalog 
when I connect to my db via odbc. (link trying to link a table in Access).

Any further ideas?  I really need the end users to only see the specific 
views/tables I grant them access to when they are an area where they are 
able to choose tables/views to view.
I think you'll be out of luck. iirc, when an app asks the ODBC driver what tables exist it just queries pg_class without regard to visibility rules imposed by the schema search path. Technically this is correct, because even without a schema being in the path, a user can still reference it using scheme.table notation.
I suspect your best option would be to hack PGAPI_Tables() in info.c if you absolutely must stop users seeing tables, though the best be would probably be to simply leave the driver as it is, let the users see the tables, but deny them any direct access to them.
Regards, Dave