Re: Security and performance

On Wed, 2 May 2001 pgsql@itsbruce.uklinux.net wrote:

> I'm writing the database backend to a web application.  Being paranoid I
> want to limit the damage/exposure that the application can do.
>
> One way would be to create a database user for each application user
> (i.e. login name) and to create views for each user, not giving them any
> permissions on sensitive tables but only letting them see their own data
> through the views.  How would that affect the database as the number of
> users climbs through the hundreds to the thousands?  Would the thousands
> of views slow the database down?  Is there an upper limit to the number
> of views?

Instead of making a kajillion views, could you use a RULE that
checks their identity against some field, and either does the right thing
or does nothing, depending on this info?

It would seem *MUCH* easier to maintain.

--
Joel Burton   <jburton@scw.org>
Director of Information Systems, Support Center of Washington