On Tue, Oct 5, 2010 at 11:01 AM, Robert Haas <robertmh...@gmail.com> wrote: > Well, the only thing I've ever wanted to do this for was to allow > sales reps to see their own customers but not the customers of other > sales reps (because if they could pull our complete customer list, > then once they left and went to work for $COMPETITOR they'd start > trying to pick off our customers; of course, we couldn't prevent them > from maintaining a list of their own customers, and no doubt they knew > who some of the other customers were, but they couldn't just dump out > the complete list from the database). I agree it's hopeless to > prevent all side-channel leaks, but I'd describe the goal like this: > > Prevent access to the actual tuple contents of the hidden rows.
Though I find it unlikely the sales people would have direct access to run arbitrary SQL -- let alone create custom functions. If the users that have select access on the view don't have DDL access doesn't that make them leak-proof for those users? -- greg -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
