| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | James Taylor <jtx(at)hatesville(dot)com> |
| Cc: | pgsql-sql(at)postgresql(dot)org |
| Subject: | Re: Label Security |
| Date: | 2004-01-27 02:24:16 |
| Message-ID: | 20040127022416.GA14179@wolff.to |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
On Mon, Jan 26, 2004 at 16:50:06 -0800,
James Taylor <jtx(at)hatesville(dot)com> wrote:
> Ok, so for example, say I add another column to the tables I want to
> have the row-level security on called 'security'. I would go ahead and
> designate
> different security levels for each user, (ex. Jane security 1000, Bill
> 2000, Joe 3000). Then, if I only want X user with security 1000 to
> view Y row, I set Y.security to 1000.
> Then, I give these users no access to the table, and create views for
> EACH user saying something to the effect of "select * from z where
> security=securitylevel", and grant access to the views only to the user
> itself.
You can refer to current_user in the view. This allows you to use one
view for all users. Though you still have to have some information
mapping users to rows they can access in the database.
> Couldn't a user then go into the console themselves and create a view
> giving them full access to the table?
You don't have to give them access to the table directly in order to
have the view work. When accessing a table through a view you have the
rights of the person who created the view.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Creager | 2004-01-27 03:23:38 | Re: [SQL] Database diagram |
| Previous Message | azwa | 2004-01-27 01:42:27 | Re: time series data |