On 10/2/19 5:27 PM, raf wrote:
>>
> I can't help with questions about scale but I like to give roles/users
> almost no permissions at all. i.e. They can't select, insert, update
> or delete anything. All they have permission to do is to execute stored
> functions that were installed by a role with the necessary permissions
> and they are security defining functions so the permissions of the role
> that created them apply when the functions are called. This means that
> there will never be any successful SQL injection, even if the application
> code is buggy, so it's more important for web applications, but I apply
> this method to internal systems as well. This approach might help with
> scaling because fewer users might be needed but I'm not sure.
>
> cheers,
> raf
>
>
How easy is it to introduce an new function call all the way up to the
app user? Does this approach preclude making use of any query
generation techniques available?