> Content-based access control (CBAC). In my experience,
> when these words are uttered, DBAs and MIS designers groan.
> I wish CBAC were never required. Unfortunately sometimes
> it is, and I wonder if the PG team is thinking about it.
We handle this with views in our Informix Data Warehouse Installation.
This said Informix has separate view and table permissions.
The way we did it we only need one single view per table.
All users are only granted access to this view.
There is a separate cbac_table with fields (username, group).
The column group (we say mandant) is also in the data tables.
The view is always a join between the cabc_table and the data_table:
create view emp as
select d.* from data_table d, cbac_table c where
d.group = c.group and c.user = USER -- USER is a db
supplied var (SQLID in DB/2)
with check option;
This said, user joins on these views can be very nasty for the
optimizer,
but it works great with recent versions of Informix.
The user name is in CURRENT_USER in postgresql,
Separate view and table privs are on the TODO,
updateable views are also on the TODO. (I think)
Andreas