I am in the same boat, and I do not think SE-PG or the pending PG 9.1 will do 
what we want. I don't see where it provides per-user row filtering or column 
filtering as is possible with Oracle (well, certain Oracle editions and/or 
certain extra cost software). I think even in PG 9.1 you will need to use views 
or application layer logic to simulate Oracle's VPD and OLS. It's my 
understanding that if your business requires row level security, then in PG you 
actually need to install separate clusters.
Please correct me if I am mistaken, but I think SE-PG allows us to establish 
Mandatory Access Controls (MAC) for each operation for each object, such as 
creating an operating system group to explicitly names all users who can query 
table foo, and another group to define who can insert into foo. Of course it's 
more than just that, but no point giving too much detail here as people can 
read the docs. I think SE-PG is more like Trusted Oracle, which was abandoned 
by Oracle after version 7 because MAC simply didn't satisfy customer 
requirements. Trusted Oracle was replaced with a combination of OLS and Data 
Vault, both sold as add-ons to the Enterprise Edition. (According to the OLS 
and Data Vault presentations I have been to, neither product alone does all of 
what Trusted Oracle used to do, and Trusted Oracle didn't do all of the things 
OLS and DV do today, so we would be incorrect to think its one-for-one swap).
-Mark

-----Original Message-----
From: Jaime Casanova [mailto:ja...@2ndquadrant.com]
Sent: Thursday, March 10, 2011 12:52 AM
To: 'H S'
Cc: 'admin'
Subject: Re: [ADMIN] Oracle Label Security/ Row Level Security on Postgresql

On Mon, Mar 7, 2011 at 10:00 AM, H S wrote: > > We would like to implement 
Oracle Label Security or Row level security or associated concepts mechanism on 
PostgreSQL. for pg <= 9.0 you can try: 
http://wiki.postgresql.org/wiki/SEPostgreSQL part of this is now part of pg 9.1 
(not yet released) as a contrib module -- Jaime Casanova www.2ndQuadrant.com 
Professional PostgreSQL: Soporte y capacitaciĆ³n de PostgreSQL -- Sent via 
pgsql-admin mailing list (pgsql-admin@postgresql.org) To make changes to your 
subscription: http://www.postgresql.org/mailpref/pgsql-admin

Reply via email to