Grant column level permissions
Hi, from postgesql features list mentioned at
http://www.postgresql.org/about/press/features84.html, I came to know that
it is possible to grant column level permissions.
PostgreSQL is "the most secure by default" and part of that is making
security tools easy to use. 8.4 makes our existing connection and access
control more flexible and simpler to understand.
Column-Level Permissions DBAs can now grant permissions (SELECT, UPDATE) on
specific columns as well as on entire tables. This makes it easier to secure
sensitive data in your database.
Could anyone please give me the example of how to grant column level
permissions? Basically, I want to give permissions to set of
users(user-group) to only couple of columns in my table.
Thanks,
Dipti
On Apr 8, 2010, at 4:22 , dipti shah wrote:
Hi, from postgesql features list mentioned at
http://www.postgresql.org/about/press/features84.html, I came to know that
it is possible to grant column level permissions.
<snip/>
Could anyone please give me the example of how to grant column level
permissions? Basically, I want to give permissions to set of
users(user-group) to only couple of columns in my table.
Have you reviewed the fine documentation?
<http://www.postgresql.org/docs/8.4/interactive/sql-grant.html>
Michael Glaesemann
grzm seespotcode net
Yup. I read it and tired couple of ways but couldn't figured out how to
specify column names. It gives me below error message and hence, I asked for
the example.
GRANT { { SELECT | INSERT | UPDATE | REFERENCES } ( *column* [, ...] )
[,...] | ALL [ PRIVILEGES ] ( *column* [, ...] ) }
ON [ TABLE ] *tablename* [, ...]
TO { [ GROUP ] *rolename* | PUBLIC } [, ...] [ WITH GRANT OPTION ]
techdb=# grant select(column['description']) ON techtable TO user1;
ERROR: syntax error at or near "column"
LINE 1: grant select(column['description']) ON techtable TO user1;
^
Thanks,
Dipti.
On Thu, Apr 8, 2010 at 4:13 PM, Michael Glaesemann <grzm@seespotcode.net>wrote:
Show quoted text
On Apr 8, 2010, at 4:22 , dipti shah wrote:
Hi, from postgesql features list mentioned at
http://www.postgresql.org/about/press/features84.html, I came to knowthat
it is possible to grant column level permissions.
<snip/>
Could anyone please give me the example of how to grant column level
permissions? Basically, I want to give permissions to set of
users(user-group) to only couple of columns in my table.Have you reviewed the fine documentation?
<http://www.postgresql.org/docs/8.4/interactive/sql-grant.html>Michael Glaesemann
grzm seespotcode net
Okay. I think I got it but it is not working the way it should. I have given
select permission on one column but still it is displaying both the columns.
Could you please tell me what is wrong.
techdb=# GRANT SELECT (description), UPDATE (description) ON techtable TO
user1;
GRANT
sysdb=> select * from techtable;
number | description
--------+-------------
(0 rows)
techdb=>
Thanks.
On Thu, Apr 8, 2010 at 5:02 PM, dipti shah <shahdipti1980@gmail.com> wrote:
Show quoted text
Yup. I read it and tired couple of ways but couldn't figured out how to
specify column names. It gives me below error message and hence, I asked for
the example.GRANT { { SELECT | INSERT | UPDATE | REFERENCES } ( *column* [, ...] )
[,...] | ALL [ PRIVILEGES ] ( *column* [, ...] ) }
ON [ TABLE ] *tablename* [, ...]
TO { [ GROUP ] *rolename* | PUBLIC } [, ...] [ WITH GRANT OPTION ]techdb=# grant select(column['description']) ON techtable TO user1;
ERROR: syntax error at or near "column"
LINE 1: grant select(column['description']) ON techtable TO user1;
^Thanks,
Dipti.On Thu, Apr 8, 2010 at 4:13 PM, Michael Glaesemann <grzm@seespotcode.net>wrote:
On Apr 8, 2010, at 4:22 , dipti shah wrote:
Hi, from postgesql features list mentioned at
http://www.postgresql.org/about/press/features84.html, I came to knowthat
it is possible to grant column level permissions.
<snip/>
Could anyone please give me the example of how to grant column level
permissions? Basically, I want to give permissions to set of
users(user-group) to only couple of columns in my table.Have you reviewed the fine documentation?
<http://www.postgresql.org/docs/8.4/interactive/sql-grant.html>Michael Glaesemann
grzm seespotcode net
On Thu, Apr 8, 2010 at 1:41 PM, dipti shah <shahdipti1980@gmail.com> wrote:
Okay. I think I got it but it is not working the way it should. I have given
select permission on one column but still it is displaying both the columns.
Could you please tell me what is wrong.techdb=# GRANT SELECT (description), UPDATE (description) ON techtable TO
user1;
GRANT
sysdb=> select * from techtable;
number | description
--------+-------------
(0 rows)techdb=>
Thanks.
test=# CREATE USER user1 ENCRYPTED PASSWORD 'test';
CREATE ROLE
test=# CREATE TABLE t1 (col1 int, col2 int);
CREATE TABLE
test=# REVOKE ALL ON t1 FROM user1 ;
REVOKE
test=# GRANT SELECT (col1) ON t1 TO user1;
GRANT
test=# \c test user1
You are now connected to database "test" as user "user1".
test=> select col1 from t1;
col1
------
(0 rows)
test=> select col2 from t1;
ERROR: permission denied for relation t1
--
Pozdrawiam / Best Regards / Mit freundlichen Grüßen
Michal Pawlikowski
XMPP: misiekbest@gmail.com
FB: http://tinyurl.com/fbmbst
MS: http://myspace.com/mpawlikowski
I also tried below:
techdb=# revoke all ON techtable from public;
REVOKE
techdb=# select pc.relname, pc.relacl from pg_class pc, pg_namespace pn
where pc.relnamespace=pn.oid and pn.nspname='techdb' and
pc.relname='techtable';
relname | relacl
-----------+-----------------------------
techtable | {postgres=arwdDxt/postgres}
(1 row)
techdb=# GRANT SELECT (description), UPDATE (description) ON techtable TO
user1;
GRANT
techdb=# select pc.relname, pc.relacl from pg_class pc, pg_namespace pn
where pc.relnamespace=pn.oid and pn.nspname='techdb' and
pc.relname='techtable';
relname | relacl
-----------+-----------------------------
techtable | {postgres=arwdDxt/postgres}
(1 row)
Please note that giving select permission on description column doesn't made
any difference in permissions set pf pg_namespace,
techdb=# \q
psql -h techdbdev1.lon -d techdb -E
psql (8.4.1)
Type "help" for help.
techdb=> select * from techtable;
ERROR: permission denied for relation techtable
techdb=>
...and it gives permission denied..!
Please help me to sort this out.
Thanks.
On Thu, Apr 8, 2010 at 5:11 PM, dipti shah <shahdipti1980@gmail.com> wrote:
Show quoted text
Okay. I think I got it but it is not working the way it should. I have
given select permission on one column but still it is displaying both the
columns. Could you please tell me what is wrong.techdb=# GRANT SELECT (description), UPDATE (description) ON techtable TO
user1;
GRANT
sysdb=> select * from techtable;
number | description
--------+-------------
(0 rows)techdb=>
Thanks.
On Thu, Apr 8, 2010 at 5:02 PM, dipti shah <shahdipti1980@gmail.com>wrote:
Yup. I read it and tired couple of ways but couldn't figured out how to
specify column names. It gives me below error message and hence, I asked for
the example.GRANT { { SELECT | INSERT | UPDATE | REFERENCES } ( *column* [, ...] )
[,...] | ALL [ PRIVILEGES ] ( *column* [, ...] ) }
ON [ TABLE ] *tablename* [, ...]
TO { [ GROUP ] *rolename* | PUBLIC } [, ...] [ WITH GRANT OPTION ]techdb=# grant select(column['description']) ON techtable TO user1;
ERROR: syntax error at or near "column"
LINE 1: grant select(column['description']) ON techtable TO user1;
^Thanks,
Dipti.On Thu, Apr 8, 2010 at 4:13 PM, Michael Glaesemann <grzm@seespotcode.net>wrote:
On Apr 8, 2010, at 4:22 , dipti shah wrote:
Hi, from postgesql features list mentioned at
http://www.postgresql.org/about/press/features84.html, I came to knowthat
it is possible to grant column level permissions.
<snip/>
Could anyone please give me the example of how to grant column level
permissions? Basically, I want to give permissions to set of
users(user-group) to only couple of columns in my table.Have you reviewed the fine documentation?
<http://www.postgresql.org/docs/8.4/interactive/sql-grant.html>Michael Glaesemann
grzm seespotcode net
Ohh...sorry. It works but I am wondering why pg_namespace doesn't display
any information.
techdb=> select description from techtable;
description
-------------
(0 rows)
techdb=> select number from techtable;
ERROR: permission denied for relation techtable
Thanks a ton.
On Thu, Apr 8, 2010 at 5:22 PM, dipti shah <shahdipti1980@gmail.com> wrote:
Show quoted text
I also tried below:
techdb=# revoke all ON techtable from public;
REVOKE
techdb=# select pc.relname, pc.relacl from pg_class pc, pg_namespace pn
where pc.relnamespace=pn.oid and pn.nspname='techdb' and
pc.relname='techtable';
relname | relacl
-----------+-----------------------------
techtable | {postgres=arwdDxt/postgres}
(1 row)techdb=# GRANT SELECT (description), UPDATE (description) ON techtable TO
user1;
GRANT
techdb=# select pc.relname, pc.relacl from pg_class pc, pg_namespace pn
where pc.relnamespace=pn.oid and pn.nspname='techdb' and
pc.relname='techtable';
relname | relacl
-----------+-----------------------------
techtable | {postgres=arwdDxt/postgres}
(1 row)Please note that giving select permission on description column doesn't
made any difference in permissions set pf pg_namespace,techdb=# \q
psql -h techdbdev1.lon -d techdb -E
psql (8.4.1)
Type "help" for help.techdb=> select * from techtable;
ERROR: permission denied for relation techtable
techdb=>...and it gives permission denied..!
Please help me to sort this out.
Thanks.
On Thu, Apr 8, 2010 at 5:11 PM, dipti shah <shahdipti1980@gmail.com>wrote:
Okay. I think I got it but it is not working the way it should. I have
given select permission on one column but still it is displaying both the
columns. Could you please tell me what is wrong.techdb=# GRANT SELECT (description), UPDATE (description) ON techtable TO
user1;
GRANT
sysdb=> select * from techtable;
number | description
--------+-------------
(0 rows)techdb=>
Thanks.
On Thu, Apr 8, 2010 at 5:02 PM, dipti shah <shahdipti1980@gmail.com>wrote:
Yup. I read it and tired couple of ways but couldn't figured out how to
specify column names. It gives me below error message and hence, I asked for
the example.GRANT { { SELECT | INSERT | UPDATE | REFERENCES } ( *column* [, ...] )
[,...] | ALL [ PRIVILEGES ] ( *column* [, ...] ) }
ON [ TABLE ] *tablename* [, ...]
TO { [ GROUP ] *rolename* | PUBLIC } [, ...] [ WITH GRANT OPTION ]techdb=# grant select(column['description']) ON techtable TO user1;
ERROR: syntax error at or near "column"
LINE 1: grant select(column['description']) ON techtable TO user1;
^Thanks,
Dipti.On Thu, Apr 8, 2010 at 4:13 PM, Michael Glaesemann <grzm@seespotcode.net
wrote:
On Apr 8, 2010, at 4:22 , dipti shah wrote:
Hi, from postgesql features list mentioned at
http://www.postgresql.org/about/press/features84.html, I came to knowthat
it is possible to grant column level permissions.
<snip/>
Could anyone please give me the example of how to grant column level
permissions? Basically, I want to give permissions to set of
users(user-group) to only couple of columns in my table.Have you reviewed the fine documentation?
<http://www.postgresql.org/docs/8.4/interactive/sql-grant.html>Michael Glaesemann
grzm seespotcode net
On Thu, Apr 8, 2010 at 1:52 PM, dipti shah <shahdipti1980@gmail.com> wrote:
techdb=> select * from techtable;
ERROR: permission denied for relation techtable
techdb=>...and it gives permission denied..!
This should work:
SELECT description from techtable;
UPDATE techtable SET description = 'xyz'
This should not work:
select * from techtable;
UPDATE techtable SET other_column = 'xyz'
--
Pozdrawiam / Best Regards / Mit freundlichen Grüßen
Michal Pawlikowski
XMPP: misiekbest@gmail.com
FB: http://tinyurl.com/fbmbst
MS: http://myspace.com/mpawlikowski