On Tue, Oct 5, 2010 at 11:01 AM, Robert Haas <robertmhaas@gmail.com> wrote:
> Well, the only thing I've ever wanted to do this for was to allow
> sales reps to see their own customers but not the customers of other
> sales reps (because if they could pull our complete customer list,
> then once they left and went to work for $COMPETITOR they'd start
> trying to pick off our customers; of course, we couldn't prevent them
> from maintaining a list of their own customers, and no doubt they knew
> who some of the other customers were, but they couldn't just dump out
> the complete list from the database). I agree it's hopeless to
> prevent all side-channel leaks, but I'd describe the goal like this:
>
> Prevent access to the actual tuple contents of the hidden rows.
Though I find it unlikely the sales people would have direct access to
run arbitrary SQL -- let alone create custom functions.
If the users that have select access on the view don't have DDL access
doesn't that make them leak-proof for those users?
--
greg