| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Garry Chen <gc92(at)cornell(dot)edu> |
| Cc: | "pgsql-novice(at)postgresql(dot)org" <pgsql-novice(at)postgresql(dot)org> |
| Subject: | Re: Column level security question |
| Date: | 2017-06-21 16:27:01 |
| Message-ID: | 2190.1498062421@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
Garry Chen <gc92(at)cornell(dot)edu> writes:
> For example: a function that only allow deptno=30 or resp=10 to see column named 'sale' and 'card_num' and a policy that applied to the table that can carry out the function. So only user in deptno 30 or responsibility level equal to 10 can see column named 'sale' and 'card_num' without using role. Such that the security can be relied on the data owner not the DBA.
I think you'd be better off to think of a way to express this through
grantable privileges, perhaps with some intermediate views that different
user populations are allowed to access. It's really hard to think of a
way that columns could be dynamically allowed or not allowed without
breaking SQL semantics pretty thoroughly.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2017-06-21 16:27:58 | Re: Column level security question |
| Previous Message | Garry Chen | 2017-06-21 16:16:40 | Re: Column level security question |