Access to vector data is restricted by controlling access to the tables in which the vector data is stored. Access restrictions are set using the confidentiality management feature of Fujitsu Enterprise Postgres.
The following is an example of using the confidentiality management feature to grant reference rights to the table sample, which contains text data, and the table sample_embedding_store, which contains vector data generated by this feature.
Refer to the "Confidentiality Management" in the Security Operations Guide to define confidentiality management role, confidentiality matrix, confidentiality level, and confidentiality group.
Grant confidentiality privilege for the table to the confidentiality group.
SELECT pgx_grant_confidential_privilege('rag_matrix', 'level1', 'group1', '{"schema": ["ALL"], "table": ["SELECT"]}');Add tables containing text data and embedded tables as confidentiality object to the confidentiality level.
SELECT pgx_add_object_to_confidential_level ('rag_matrix', 'level1',
'[{
"type":"table",
"object":[
{
"schema":"public",
"table":["sample"]
},
{
"schema":"public",
"table":["sample_embedding_store"]
},
]
}]');Add the role to the confidentiality group.
SELECT pgx_add_role_to_confidential_group('rag_matrix', 'group1', '["rag_user"]');Information
A vector table contains foreign keys, vector data, and chunks, but it is not necessary to set access privileges on a column-by-column basis; setting access privileges on a table-by-table basis is sufficient.
The following is an example of setting row-level security for table sample, which contains text data, and table sample_embedding_store, which contains vector data generated by this function. In this example, sample and sample_embedding_store contain user names in a column called username, and sample_embedding_store has the primary key (id) of sample as a foreign key (id). When using row-level security, grant the BYPASSRLS attribute to the user set in VECTORIZE_USER.
Refer to the "Confidentiality Management" in the Security Operations Guide to define confidentiality management role, confidentiality matrix, confidentiality level, and confidentiality group.
Grant confidentiality privilege for the rowset to the confidentiality group.
SELECT pgx_grant_confidential_privilege('rag_matrix', 'level1', 'group1', '{"table": ["SELECT"], "schema": ["ALL"],"rowset":["SELECT"]}');Enable row-level security for the table.
ALTER TABLE sample ENABLE ROW LEVEL SECURITY; ALTER TABLE sample_embeddings_store ENABLE ROW LEVEL SECURITY;
Ensure that the tables on which the target view is based are checked against the privileges of the view's user.
ALTER VIEW sample_embeddings SET (security_invoker = true);
Add the ai schema, tables containing text data and embedded tables and embedded views as confidentiality objects to the confidentiality level.
SELECT pgx_add_object_to_confidential_level ('rag_matrix', 'level1',
'[{
"type":"schema",
"object":[
{"schema":"ai"},
{"schema":"pgx_vectorizer"}
]
},
{
"type":"table",
"object":[
{
"schema":"public",
"table": ["sample", "sample_embeddings_store", "sample_embeddings"]
},
{
"schema":"ai",
"table": ["vectorizer"]
}
]
}]');Add the table containing text data and the rowset of the embedded table as confidentiality objects to the confidentiality level.
SELECT pgx_add_object_to_confidential_level ('rag_matrix', 'level1',
'[{
"type":"rowset",
"object":[
{
"schema":"public",
"table": "sample",
"rowset_name": "rowset1",
"rowset_expression":[
{
"as": "permissive",
"using": "username = current_user"
}]
},
{
"schema":"public",
"table": "sample_embeddings_store",
"rowset_name": "rowset1",
"rowset_expression":[
{
"as": "permissive",
"using": "EXISTS (SELECT 1 FROM public.sample WHERE public.sample.id = public.sample_embeddings_store.id AND public.sample.\"username\" = current_user)"
}]
}
]
}]');Add the role to the confidentiality group.
SELECT pgx_add_role_to_confidential_group('rag_matrix', 'group1', '["rag_user"]');