On Tue, Oct 15, 2019 at 6:07 PM David Gauthier <davegauthie...@gmail.com> wrote: > Users are going to be working with data through perl/DBI scripts which > currently connect using a generic role with hardcoded password in the connect > string. Access will be select/insert/update/delete We need to tighten up > security as described above.
I would apply row level security, as already pointed out. Then, in my Perl scripts, I will force a SET ROLE depending on the operating system group/user. In such case, you can have still a "generic" user to use as connection/login, then change the set of permissions on the fly as connected. Of course, row level security must be applied against current_role and not session_user. I would not say this is a robust approach, but can do what you want (assuming you don't have to change thousands of Perl scripts). Hope it helps. Luca