A confidentiality matrix is a matrix of confidentiality levels and confidentiality groups. Elements of the confidentiality matrix are confidentiality privileges. Here we define them.
A confidentiality level is a group of data with the same degree of confidentiality, and a confidentiality group is a group of roles with the same access to confidentiality data. The details are described below.
The end result is to classify database objects into confidentiality levels and roles into confidentiality groups. But for the first step, define your confidentiality matrix abstractly without thinking about concrete tables, roles, etc. By doing so, the relationship between confidentiality levels and confidentiality groups can also be applied to databases with different sets of database objects.
You can define multiple confidentiality matrices. These confidentiality matrices are identified by a name, but the name is unique within the database (not the database cluster).
A role that manages the confidentiality matrix is called a confidentiality management role. The details are described below.
How to create multiple confidentiality matrices
There are various design methods, but an example is shown below.
Create one confidentiality matrix for a dataset
For example, create one confidentiality matrix for one section of your organization.
Copy the confidentiality matrix if the two sections have the same confidentiality design
When multiple organizations share datasets, create a single confidentiality matrix for the shared datasets
An example of this case is shown below.
Create a confidentiality matrix A for the dataset that only section 1 has access to.
Create a confidentiality matrix B for the dataset that only section 2 has access to.
Create a confidentiality matrix S for the dataset shared by section 1 and section 2.
Section 1 administrator M1 is in charge of the confidentiality management role for confidentiality matrix A.
Section 2 administrator M2 is in charge of the confidentiality management role for confidentiality matrix B.
Role group G to which M1 and M2 belong is in charge of confidentiality management role of confidentiality matrix S.
Confidentiality level is a concept that indicates degree of confidentiality. For example, determine a confidentiality level that classifies tables that contain personal information and those that do not.
A collection of data that you classify as confidentiality level is a database object, such as a table. Such objects are called confidentiality objects. Refer to "What is a confidentiality objects?" for confidentiality objects.
Attributes can be set for the confidentiality level. For example, if a confidentiality level has an attribute that requires encryption, tables belonging to that confidentiality level are required to be encrypted. The confidentiality management feature may or may not automatically change the attribute of the confidentiality object to which it belongs. Also, each attribute targets a different confidentiality object.
The table below shows the attribute description, the confidentiality object targeted, and whether to change the attribute of the confidentiality object automatically.
Confidentiality level attributes | Specifiable values | Confidentiality object type | Auto change | Description |
|---|---|---|---|---|
encryption_algorithm | AES128 AES256 none | table column rowset | No | Requires confidentiality objects to be encrypted with the specified algorithm. For details, refer to "Protecting Storage Data Using Transparent Data Encryption" in the Operation Guide. If none is specified, no encryption is requested. Default is none. The attribute is not changed autlmatically because encryption and decryption involve large data updates. Instead, you cannot add a confidentiality object with an encryption strength lower than the specified encryption strength. Also, when changing to increase the encryption strength, confidentiality objects that do not meet the post-change conditions must not be included. |
What is a confidentiality objects?
Confidentiality objects have the types shown in the following table. For example, some data contained in table T can be added to confidentiality level L1 and other data to confidentiality level L2.
Confidentiality object type | Description |
|---|---|
schema | It does not mean all the tables contained in the schema. It simply means an object that exists in the system catalogs. Means the schema itself that is the target of access control by the GRANT statement. |
table | Includes views, materialized views and partitions as well as tables. Currently do not support foreign tables. |
column | Means column. |
rowset | A set of rows that satisfy a specified condition. Although there is no rowset object in the PostgreSQL system catalog, it is treated as a confidentiality object in the confidentiality management feature for ease of use. Access control for rowset-type confidentiality objects uses PostgreSQL's row-level security functionality internally. Therefore, how access is controlled follows the row-level security specification. |
The following objects may also contain confidential information. However, the current confidentiality management feature does not support them as confidentiality objects. When managing these, it is recommended to manage them in a role different from the confidentiality management role. The details are described in "7.5 Suggestions for Monitoring Methods".
Function
Procedure
Foreign server
Foreign data wrapper
Foreign table
A confidentiality group is an object that indicates which confidentiality level roles in confidentiality group can acdess to. For example, decide which role groups have access to personal information and which groups do not. Confidentiality groups are actually automatically defined as PostgreSQL roles (role groups). This role is called a confidentiality group role.
What is a confidentiality group role?
Confidentiality group roles are targets of GRANT and REVOKE statements executed internally by the confidentiality management feature. And when you add a role to the confidentiality group, the added role becomes a member of the confidentiality group role. The privileges of the added role are given by inheriting the privileges given to the confidentiality group role by the confidentiality management feature.
The following attributes can be set for the confidentiality group role via the function that creates the confidentiality group. The meaning and default value of attribute are the same as in the CREATE ROLE statement specification. These are limited to attributes that may be necessary when managing confidentiality. Therefore, use the confidentiality management feature to change it. The confidentiality management feature automatically sets the following attributes for the role added to the confidentiality group.
SUPERUSER
CREATEDB
CREATEROLE
REPLICATION
BYPASSRLS
Other attributes follow the PostgreSQL CREATE ROLE statement defaults. Even if the attribute is changed using the ALTER ROLE statement, the operation of confidentiality management feature will not be disturbed.
The naming convention for confidentiality group roles is as follows.
pgx_cgroup_role_${serial_number}When deleting a confidentiality group, you can choose not to delete the confidentiality group role. In such a case, it is a means to know that it was a confidentiality group role later.
Note
Do not define roles using strings that follow this naming convention. This is because the name of the new confidentiality group role will be the number next to the maximum ${serial_number} of the role that follows this naming convention. For example, if a role named 'pgx_cgroup_role_999999999999999999' exists, you will not be able to create new confidentiality group roles.
Confidentiality privileges indicate how a confidentiality group can access confidentiality objects registered at a certain confidentiality level.
For example, a confidentiality group R can be defined to have SELECT, INSERT, UPDATE, and DELETE privileges on table-type confidentiality objects belonging to confidentiality level L.
Once a confidentiality object or role has been added to a confidentiality level or confidentiality group, the feature automatically uses the GRANT or CREATE POLICY statement to grant privileges to the actual database object according to the confidentiality privilege definition to the confidentiality group role.
For rowset types, confidentiality privileges are those that can be specified in the CREATE POLICY statement. In cases other than rowset, it is a privilege that can be specified in the GRANT statement. For detailed privileges, refer to the respective SQL statement reference in the PostgreSQL Documentation.
Note
Do not change the definition of POLICY that this feature creates internally. Even if you change it, the function of this feature may return to the state before the change without warning.
Point
For roles registered in the confidentiality matrix, if the privilege to a certain confidentiality object is more than the confidentiality privilege, revoke those privileges according to the confidentiality privilege.
If a role not registered in the confidentiality matrix or PUBLIC was granted privileges to a confidentiality object registered in the confidentiality matrix, functions of this feature for adding confidentiality objects or roles will fail. Because this function is not allowed to manage.
Even in a slightly more complicated situation, failing functions that add confidentiality objects and roles prevent roles added to the confidentiality matrix from deviating from confidentiality privileges:
It is set so that a role registered in the confidentialmatrix can inherit a role not registered in the confidentiality matrix, and as a result, it has more privileges than the confidentiality privileges.
Roles registered in the confidentiality matrix are granted privileges by a POLICY not created by this feature. In this case, the function will fail if such a POLICY exists without rigorously checking for violations of confidentiality privilege.