A role can belong to multiple confidentiality groups in different confidentiality matrices at the same time. However, a single role cannot be classified into multiple confidentiality groups within a single confidentiality matrix.
Note
We strongly recommend that you do not group confidentiality group roles into other confidentiality groups. This is because the confidentiality management feature does not prohibit such usage, but it probably only complicates security management. Also note that PostgreSQL does not allow cyclic groupings of roles.
After adding roles to a confidentiality group, it is highly recommended that such roles not be made members of role groups not managed by the confidentiality matrix. This is because although the confidentiality management feature does not prohibit such situations, for example, unreasonably increasing the privileges of such role groups may become a way out for roles managed by the confidentiality management feature.
Note that this feature does not allow roles with such loopholes to be added to confidentiality groups.
As of Fujitsu Enterprise Postgres 16, the CREATEROLE privilege has been changed to require ADMIN OPTION privilege on roles added to confidentiality groups if non-superusers are to be used as confidentiality management roles. Therefore, the roles that can be added to the confidentiality group must be:
Roles created with confidentiality management role privileges
A role that previously granted the ADMIN OPTION privilege for a role to a confidentiality management role
Example) To grant the confidentiality management role manager_role only the ADMIN OPTION privilege for role user_role1:
GRANT user_role1 TO manager_role WITH ADMIN TRUE, INHERIT FALSE, SET FALSE;
For information about changing the CREATEROLE privilege, refer to "Migration to Version 16" in the PostgreSQL Documentation.
