Re: Row-level security?

From: Roy Hann <specially_at_processed.almost.meat>
Date: Thu, 28 May 2009 11:29:32 -0500
Message-ID: <asSdndciI4BxJoPXnZ2dnUVZ8ladnZ2d_at_pipex.net>

lawpoop wrote:

> On May 28, 10:48�am, Roy Hann <specia..._at_processed.almost.meat> wrote:
>
>> I don't know if relational theory has a lot to say about permissions
>> other than to provide the necessary machinery. �What you want is a base
>> table to which the user has no access, and a view of that table which is
>> restricted to just the rows the user should be able to see. �The user
>> is then given permission to select only from the view.
>
> So basically you'd want to do a view for each client? Or, in general,
> a view for every table for every user where you want row-level access?

No, that would be horrible. No, you just need a DBMS that knows the user id (USER) and can use it in the restriction. So you'd create a single view like

CREATE VIEW userinfo AS
SELECT * FROM clientinfo
WHERE clientid = USER

You would then grant this one view to public. The value of USERID should be different for each user so that single view will appear to have different rows depending on who is looking at it. You can go further with this idea, not only projecting just selected columns but also enforcing time of date restrictions (e.g. office hours only), and so on.

One can imagine various workarounds for DBMSs that don't know or can't provide the value of USER, but you would still really need only one view for all.

-- 
Roy

Received on Thu May 28 2009 - 18:29:32 CEST

This message: [ Message body ]
Next message: lawpoop: "Re: Row-level security?"
Previous message: paul c: "Re: Row-level security?"
Maybe in reply to: lawpoop: "Row-level security?"
In reply to lawpoop: "Re: Row-level security?"
Next in thread: lawpoop: "Re: Row-level security?"
Reply: lawpoop: "Re: Row-level security?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message