Re: Detecting which columns a query will modify in a functioncalled by a trigger

Поиск
Список
Период
Сортировка
От Tim Cross
Тема Re: Detecting which columns a query will modify in a functioncalled by a trigger
Дата
Msg-id 871rqatrae.fsf@gmail.com
обсуждение исходный текст
Ответ на Re: Detecting which columns a query will modify in a function calledby a trigger  (stan <stanb@panix.com>)
Список pgsql-general
Дерево обсуждения 
stan <stanb@panix.com> writes:

> On Mon, Mar 02, 2020 at 11:02:54AM -0800, Adrian Klaver wrote:
>> On 3/2/20 10:59 AM, stan wrote:
>> > I need to implement a fairly fine grained security model. Probably a bit
>> > finer that I can do with the standard ownership functionality.
>> >
>> > My thinking on this is to create a table that contains the users, and a
>> > "permission bit" for each function that they may want to do, vis a vi
>> > altering an existing row,or rows, or inserting new rows.
>> >
>> > Looks relatively straight forward, if fairly time consuming to do. But I
>> > would need to know which column(s) a given query would add..alter from the
>> > function to implement this via a trigger. looks like I see most of what I
>> > need t do this in the docs, but I can't quite figure out if I can get this
>> > down to what column(s) a given trigger will modify. Is this possible?
>>
>> Before you get too far into this I would look at RLS:
>>
>> https://www.postgresql.org/docs/12/ddl-rowsecurity.html
>>
> Thanks for pointing that out.
>
> Using that functionality was my original plan, but let me describe why I do not think it
> can do what I need. This may be an indication of my weakness in design
> though.
>
> Envision a table with a good many columns. This table represents the "life
> history" of a part on a project. Some of the columns need to be
> created/modified by the engineer. Some need to be created/modified by the
> purchasing agent, some of the columns need to be created by the receiving
> department, some of the columns need to be created/modified by the accounts
> payable department.
>
> Make sense?

When you speak of columns needing to be created/modified, do you really
mean columns or rows? It would be a very unusual approach to allow
multiple different 'agencies' to create/modify underlying table design.
If this is the case, then you are in an impossible position and have no
hope of implementing anything that will be maintainable and you will
never be able to manage security.

I'm hoping you mean different agencies which need to add/modify rows
wihtin the tables?

--
Tim Cross

В списке pgsql-general по дате отправления:

Предыдущее
От: "David G. Johnston"
Дата:
Сообщение: Re: Detecting which columns a query will modify in a function calledby a trigger
Следующее
От: Brennan Vincent
Дата:
Сообщение: `DROP DATABASE RESTRICT` ?