When building FEPCluster, the extension "pgx_confidential_management_support" of the confidentiality management feature was installed and set up in the following database.
template1
postgres
Database specified in spec.fepChildCrVal.sysUsers.pgdb
In addition, when creating a confidential administrator role (spec.fepChildCeVal.sysUsers.pgSecurityUser), this role is assigned the following functions necessary for executing confidentiality management feature.
CREATE ROLE
SELECT, INSERT, UPDATE, and DELETE privileges on all tables included in the extension
Therefore, immediately after FEPCluster is built, database objects can be managed by the confidentiality management feature in a database in which the extension "pgx_confidential_management_support" is installed or in a database created from template1.
Refer to "Confidentiality Management" in the Fujitsu Enterprise Postgres Security Operation Guide for details on how to operate the security management support function.
Refer to "Tables Used by Confidentiality Management Feature" in the Fujitsu Enterprise Postgres Security Operation Guide for tables included in the extension.
In addition, if a database role other than the confidential administrator role needs to operate the confidentiality management feature, such as by preparing a database role for each schema that manages database objects using the confidentiality management feature, the confidentiality management feature assign the following privileges to the datdabase role.
CREATE ROLE
SELECT, INSERT, UPDATE, and DELETE privileges on all tables included in the extension
When using the confidentiality management feature to manage database objects created by other users, it is necessary to grant ownership of the database objects to the database role that operates the confidentiality management feature.
Example) When giving ownership of the table "security_table" to the confidential administrator user "security_user"
ALTER TABLE security_table OWNER TO security_user;
The owner of the database object can be confirmed using the PostgreSQL meta-command "\d".
