adarnimrod
commented
5 years ago My 2c on this is in favor of views. Not all of the deployment tools (like Terraform, which we use) have support for row-level security, but most (all?) have support for the more mundane privilege system. One other thought I have on the subject is about a reporting/ dashboard tool. If users have access to such a tool and can they can use it to build dashboard for themselves (which in turn has some privileges to query the database), which of the 2 is the better option to limit such access. Or does the tool has to have some ACL of its own?
Azafea processes and stores everything it gets sent.
In the case of Endless, that means it stores data from multiple deployments.
We eventually want Endless employees and contractors not to have access to everything, but only to the data corresponding to the deployments they work on.
That means figuring out a way to allow access only to certain rows when querying.
One possibility is to grant row-level permissions: https://www.postgresql.org/docs/11/ddl-rowsecurity.html
Another possibility would be to create views which pre-filter the data, and grant people access only to certain views.