| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | John DeSoi <jd(at)icx(dot)net> |
| Cc: | pgsql List <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: row-level security model |
| Date: | 2004-04-01 15:26:56 |
| Message-ID: | 20040401152656.GA22626@wolff.to |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, Mar 31, 2004 at 12:30:58 -0500,
John DeSoi <jd(at)icx(dot)net> wrote:
>
> I want to have multiple groups A, B, C where each group could only see
> a subset of a table (any number of groups would be possible). If a user
> is a member of groups A and B then the rows they can see should be the
> union of what A and B can see. Ideally I could just write a SELECT rule
> for a table or view that would somehow intersect the result rows of the
> query with the result of the security function (I think Oracle has
> something like this). So is it possible to write independent "access"
> functions for each group and have them be dynamically combined based on
> the group membership of the user? I want to do this at the database
> level so the security can be enforced for any application or report
> generator that is allowed to connect.
You should be able to do this with a view. current_user will give you
the user. You probably want to join this with your own group table
and with the table of interest. If each row belongs to only one group
this is easy.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-04-01 15:28:08 | Re: 7.2.3-7.4.2 migration |
| Previous Message | weiping he | 2004-04-01 15:26:16 | A simple question about Read committed isolation level |