On Mon, Dec 20, 2004 at 17:21:02 -0000,
"Dearman, Rick" <[EMAIL PROTECTED]> wrote:
> I have a requirement from my security manager but I can't seem to find a good
> solution. So I wondered if someone had done something similar.
>
> We have a web portal and a DB in PostgreSQL (obviously) which contains user
> data. The portal is accessed by account managers who have access to only
> specific user accounts. This all works fine however the concern is that if
> you ever got access more directly into the DB through a hack, or poorly
> designed site code, you could potentially access information that you
> shouldn't.
If the managers access the web site using their DB credentials then you can
enforce the proper access in the DB using views and/or security definer
functions.
If the managers don't have their own DB accounts, then the web application
needs to be trusted and should can spend your effort securing that.
Implementing a cache inbetween doesn't seem help in solving your problem.
---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match
