> Foreign Key deletions could be handled correctly if you treat them as
> updates. If we have the following example
>
> TableA
> security_context=y value=2 fk=1
>
> TableB
> security_context=x value=1
>
> TableA refers to TableB. Context x cannot see context y.
>
> So if somebody with context x tries to delete value1 from TableB, they
> will be refused because of a row they cannot see. In this case the
> correct action is to update the tuple in TableB so it now has a
> security_context = y. The user with x cannot see it and can be persuaded
> he deleted it, while the user with y can still see it.
It seems odd for a low-privilege user to be able to elevate the
privilege of a tuple above their own privilege level. I also don't
believe that the privilege level is a total order, which might make
this something of a sticky wicket. But those are just my thoughts as
a non-guru.
...Robert