Re: Oracle Label Security/ Row Level Security on Postgresql

* Mark Johnson (mark(at)remingtondatabasesolutions(dot)com) wrote:
> I am in the same boat, and I do not think SE-PG or the pending PG 9.1 will do what we want. I don't see where it provides per-user row filtering or column filtering as is possible with Oracle (well, certain Oracle editions and/or certain extra cost software).

SE-PG had row-level filtering based off label, so if you gave every user
a label, that'd work (though that's not how it's typically done).

> I think even in PG 9.1 you will need to use views or application layer logic to simulate Oracle's VPD and OLS. It's my understanding that if your business requires row level security, then in PG you actually need to install separate clusters.

It's going to depend on exactly what you need/want to have segregated.
You need separate clusters if you want the list of users to be
different, since those are stored at the cluster level. PG 9.1 won't be
including any kind of RLS beyond 'traditional' function/view-based
custom implementations. It's good to hear more people asking about
this, however, as RLS is definitely something I'd like to see get in to
a release of PG in the future, and one of the definite push-backs is
lack of user demand.

> Please correct me if I am mistaken, but I think SE-PG allows us to establish Mandatory Access Controls (MAC) for each operation for each object, such as creating an operating system group to explicitly names all users who can query table foo, and another group to define who can insert into foo.

You don't need to define Unix groups.. It is label-based and is tied
into the kernel's ideas about what labels exist though. Certainly,
for PG, we would like to have both stand-alone RLS and RLS which is
backed by MAC/SELinux.

Thanks,

Stephen