This section describes how to confirm that the contents registered in the confidentiality matrix match the confidentiality objects and roles managed in the PostgreSQL system catalog. The method shown here is just an example.
Inspector
The inspector must be granted SELECT privilege on tables with the pg_confidential_management_support extension and SELECT privilege on the confidentiality object and role information added to the subject confidentiality matrix in the system tables. At a minimum, the confidentiality management role for the confidentiality matrix being reviewed and superuser certainly have such privileges.
Procedure
The confirmation procedure is divided into the following three phases. If you detect a discrepancy, use the audit log to investigate what caused the discrepancy. And fix it to match.
Note
Various objects may be changed (modified) in a chain reaction when returning to the correct state. Doing so may erase traces of unauthorized manipulation. Therefore, it is recommended that you investigate any design inconsistencies and ensure that you have the necessary audit logs for the investigation before fixing them.
The pgx_get_privileges_on_matrix function presented here can output a very large table if the number of confidentiality objects or roles is large. If the size of this table exceeds the value of PostgreSQL's work_mem parameter, I/O will occur according to PostgreSQL's specifications, resulting in a slowdown. Therefore, it is recommended that work_mem be set as high as possible in the session in which this function is executed.
If you detect a mismatch, please restore the correct state by executing functions such as pgx_alter_confidential_level function provided by this extension.
Attributes of the confidentiality matrix
Check using the pgx_confidential_matrix table.
Number of registered confidentiality levels and attributes of each confidentiality level
Check the row that matches the clevmatid to be checked from the pgx_confidential_level table. To know the confidentiality matrix identifier, see cmatid in the pgx_confidential_matrix table.
Number of registered confidentiality groups and attributes of each confidentiality group
Check the row in the pgx_confidential_role table whose ccolmatid matches the identifier of the confidentiality matrix to be checked.
Confidentiality group privileges set to confidentiality level
Refer to the pgx_confidential_privileges table. However, in this table confidentiality levels and confidentiality groups are represented as identifiers. Join with pgx_confidential_level table and pgx_confidential_role table if you want to check by confidentiality level name or confidentiality group name.
Confirm that the definition of the confidentiality management feature matches the definition of the confidentiality objects and roles. If you detect a mismatch, please restore the correct state by executing functions such as pgx_alter_confidential_level function provided by this extension.
Is the number of confidentiality objects registered in the confidentiality level the same as designed?
Do the attributes of each confidentiality object match the attributes of the confidentiality level to which it belongs?
It is recommended to check these using pgx_get_attribute_of_objects function. Because this function gets the state of the confidentiality object from the PostgreSQL system catalog and outputs a table that can be compared with the definition. For the format of the table, refer to "B.7 Functions that Support Definition Referencing and Comparison with System Catalogs".
Is the number of roles registered in the confidentiality group the same as designed?
Do the attributes of each role match the attributes of the confidentiality group to which it belongs?
It is recommended to check these using pgx_get_attribute_of_roles function.For the format of the table returned by a function that outputs authority information, such as this function, refer to "B.7 Functions that Support Definition Referencing and Comparison with System Catalogs".
Verify that the roles granted access to confidentiality objects and what the privileges are are consistent with the definitions in the confidentiality matrix. A good help is to use the pgx_get_privileges_on_matrix function. For details on the output format, see "7.3.5 Granting Confidentiality Privileges to Confidentiality Groups".
If you want to focus on any confidentiality level or role, use the function below.
pgx_get_privileges_on_level_and_group()
pgx_get_privileges_on_object()
pgx_get_privileges_on_role()
Point
It is inefficient to output a large table many times in order to analyze it with various SQL statements. You can perform efficient analysis by specifying a query that executes this function in the INSERT statement as shown below.
INSERT INTO temp_table_for_analysis SELECT pgx_get_privileges_on_matrix('matrix_foo')