On Tue, Oct 15, 2019 at 6:07 PM David Gauthier <davegauthierpg@gmail.com> wrote:
> Users are going to be working with data through perl/DBI scripts which currently connect using a generic role with
hardcodedpassword in the connect string. Access will be select/insert/update/delete We need to tighten up security as
describedabove.
I would apply row level security, as already pointed out.
Then, in my Perl scripts, I will force a SET ROLE depending on the
operating system group/user. In such case, you can have still a
"generic" user to use as connection/login, then change the set of
permissions on the fly as connected. Of course, row level security
must be applied against current_role and not session_user.
I would not say this is a robust approach, but can do what you want
(assuming you don't have to change thousands of Perl scripts).
Hope it helps.
Luca