I know that LIBRARYADMAUTH is for future use but since it's a requirement so, is there any way to grant or revoke this to users?
No.
If you see in the documentation for a catalog view "for future use", then it means that there was some planning but no use yet. Catalog structures can only change on major versions, so sometimes new fields are put in "just in case". If you would be able to grant a privilege, then it would be documented as part of the GRANT statements.
See this blog entry about a guided tour of the Db2 catalog.
Related
I have 3 other members who are listed in the admin role. They have the ability to make edits in the UI for the application; however, when it comes to edit the deployment such as granting users access to the deployment, they do not have the option for edit. Is this the expected behavior?
That is an expected behavior. Although there is nothing found in the official documentation that explains this, there is a thread in the appmaker google group that explains this is not possible and apparently, it is a feature the appmaker engineers are planning to integrate in the future.
I am currently working within Postgres, and am in the process of creating some users. Whilst creating these user and testing them I've noticed that they're able to view more Schemas than they have access to. In addition to this they can view restricted Schemas tables, views, and functions. This isn't ideal.
When creating users and their permissions is there a way to have a user setup in such a way that they're only able to view certain Schemas and not all Schemas at large within our database?
I should also mention that these users would be viewing our postgres database utilizing either PgAdmin, or Tableau.
Yes. Use the command GRANT USAGE ON [schemaname] TO [username] or REVOKE USAGE ON [schemaname] FROM [username] to control access to the Schema itself.
You might need to do REVOKE USAGE ON [schemaname] FROM public to remove the default access permissions as well.
I suggest reviewing https://www.postgresql.org/docs/current/static/sql-grant.html for the full set of GRANT commands available as you may need to grant/revoke read/write access on some tables as well.
Previously I was using databases from BaaS (Backend as a Service) - Parse, Backendless, Firebase - this services has everything I need to manage users of my webapps: tokens handling, owner policies etc.
How do I manage webapp users in own database? (PostgreSQL 9.4)
Is it suppose to be just a regular table, which will contain columns "login", "password" etc. or there are specific tools to implement that?
How should I handle tokens? Should I store it somehow in database, or tokens suppose to be stored in my server and are not bind to database at all?
How do I implement owner policies? Are there some specific tools in Postgres for this, or I should simply create the column "ownerId" in each table and use it as Foreign Key?
If you know good articles on this topic - please, post a links - it will be very helpful!
I would search for it in google, but I've found nothing but articles about database users handling. I assume, this is not what I'm looking for.
Regular table or postgrsql ROLE system
Usually tokens are on application side
Postgres 9.5 have row security policies but you can implement owner policy by yourself. Hard to say what database features you have to use without
assumptions of the project.
Requires upload user information from Active Directory.
I found on the Internet a few additions that provide this opportunity: multicorn and ldap_fdw.
The problem is that I can not figure out how to filter the result
For example multicorn allows you to specify the directory where to search (path) and the object of the search (objectClass). But this is not enough. It is necessary to restrict the people who are in a particular group.
How to do it?
Postgres uses LDAP only to check password. You must still create roles with proper Postgres options, heritage and grants.
To create roles dynamically from LDAP rather than creating them manually without password, you can use a tool like ldap2pg.
Using ldap_fdw or multicorn should not be useful for this. These extensions are meant to expose foreign data to APP, not to extend Postgres internals.
Cheers,
I need some opinions.
I'm going to develop a POS and inventory software for a friend. This is a one man small scale project so I want to make the architecture as simple as possible.
I'm using Winform to develop the GUI (web interface doesn't make sense for POS software). For the database, I am using Postgresql.
The program will control access based on user roles, so either I have to develop a middle tier, using a web server, to control user access or I can just set user priveleges directly in Postgresql.
Developing a middle tier will be time consuming, and the maintenance will be more complex. So I prefer to set access control directly in the database.
Now it appears that using database to control user access is troublesome. I have to set priveleges for each role. Not to mention that for some tables, the priveleges are at column level. This makes reasoning about the security very hard.
So what I'm doing now is to set all the tables to be inaccessible except by superusers. The program will connect to the database using public role. Because the tables are inaccessible by public, I'm going to make publicly accessible stored functions with SECURITY DEFINER (with superuser role). The only way to access the tables is by using these functions.
I'll put the user roles and passwords in a table. Because the user table itself is inaccessible by non-superuser, I'll make a login function, let's call it fn_login(username, password). fn_login will return a session key if login is successful.
To call other functions, we need to supply session key for the user, e.g.: fn_purchase_list(session_key), fn_purchase_new(session_key, purchase_id, ...).
That way, I'm treating the stored functions as APIs. Adding new user will be easier as I only need to add new rows in the user table rather than adding new Postgresql roles. I won't need to set priveleges at column level. All controls will be done programmatically.
So what do you think? Is this approach feasible and scalable? Is there a better way to do it?
Thanks!
I believe there is a better way to do it. But since you haven't discussed what type of security you need, I cannot elaborate on specifics.
Since you are developing the application code in .NET, that code needs to be trusted (unlike a web application). Therefore, why don't you simply implement your roles and permissions in the application code, rather than the database?
My concern with your stated approach is the human overhead of stored procedures. Would much rather see you write the stated functions in C#, rather than in PostgreSQL. Then, standard version control and software development techniques could apply.
If you wait until somebody has at your database to check security, I think you'll be too late. That's a client/server mentality that went out at the end of the 90s. It's part of the reason why n-tier architectures came into vogue. Client/server can't scale horizontally as well as an n-tier solution.
I'd advise that you take better advantage of the middle tier. Security should be a cross-cutting concern that's further up the stack than your persistence layer.
If the MANAGEMENT of the database security is the issue, then you should add the task of automating that management. That means that you can store higher level data with the database tables, and then your application can convert that data in to the appropriate details and artifacts that the database requires.
It sounds like the database has the detail that you need, you just need to facilitate the management of that detail, and roll that in to your app.
My honest advice: Do not invent POS and inventory software. Take one of existing projects and make it better.