Skip site navigation (1) Skip section navigation (2)

Re: Label Security

From: James Taylor <jtx(at)hatesville(dot)com>
To: Bruno Wolff III <bruno(at)wolff(dot)to>
Cc: pgsql-sql(at)postgresql(dot)org
Subject: Re: Label Security
Date: 2004-01-27 00:50:06
Message-ID: BFFA4DDC-5062-11D8-AA39-000A95982628@hatesville.com (view raw or flat)
Thread:
Lists: pgsql-sql
Ok, so for example, say I add another column to the tables I want to 
have the row-level security on called 'security'.  I would go ahead and 
designate
different security levels for each user, (ex. Jane security 1000, Bill 
2000, Joe 3000).  Then, if I only want X user with security 1000 to 
view Y row, I set Y.security to 1000.
Then, I give these users no access to the table, and create views for 
EACH user saying something to the effect of "select * from z where 
security=securitylevel", and grant access to the views only to the user 
itself.

Couldn't a user then go into the console themselves and create a view 
giving them full access to the table?

Or, maybe I'm way off on this whole thing

On Jan 26, 2004, at 1:06 PM, Bruno Wolff III wrote:

> On Mon, Jan 26, 2004 at 12:45:40 -0800,
>   James Taylor <jtx(at)hatesville(dot)com> wrote:
>> I'm migrating an Oracle 9 database over to Postgres 7.3.4, and just 
>> ran
>> into something I've never seen before (honestly, due to my lack of
>> experience in Oracle) and was curious if
>> Postgres supported anything similar.   The DBA that set up Oracle
>> appears to have enabled Oracle Label Security, which looks as though 
>> it
>> offers per-row security levels.  So, say we have the table
>> 'test',  user 'Nancy' does a "select * from test" and only will be
>> shown rows she has permission to.  Joe will get the same, and the
>> superuser can see everything.  Does Postgres offer anything like this,
>> maybe even through third party software
>
> You can do this with views, but there isn't a turn key set up to do 
> this.
> You can give someone access to a view without giving them direct access
> to underlying tables. A view can check the current username versus
> some data in the table being displayed (perhaps joined with some other
> tables that keep track of group membership).


In response to

Responses

pgsql-sql by date

Next:From: Tom LaneDate: 2004-01-27 01:08:27
Subject: Re: how to "enumerate" rows ?
Previous:From: Karsten HilbertDate: 2004-01-27 00:15:05
Subject: how to "enumerate" rows ?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group