pgx_create_confidential_matrix(confidential_matrix_name varchar, comment text)

void

Create the confidentiality matrix with the specified name.

The created confidentiality matrix is registered in the pgx_confidential_matrix table along with the comment.

Only roles with the required entitlements for the confidentiality management role can execute this function. The role that executes this function is the confidentiality management role for the confidentiality matrix. Functions such as executing by specifying a confidentiality matrix name require that the executed role is a confidentiality management role for the specified confidentiality matrix. For details, please refer to "7.2.2 Determining Confidentiality Management Roles".

The length of confidential_matrix_name must be less than 64 characters. Note that the units are not bytes.

There are no restrictions on the characters that can be used in the confidential_matrix_name.

When you specify the name of the confidentiality matrix to other functions, you must specify the same string that you specified to this function.

Note that unlike most CREATE statements, the name of the confidentiality matrix is case sensitive.

pgx_copy_confidential_matrix(confidential_matrix_name varchar, source_confidential_matrix_name varchar)

void

Copy the source confidentiality matrix specified by source_confidential_matrix_name to the confidentiality matrix named confidential_matrix_name. Confidentiality matrix, confidentiality levels, confidentiality groups, and confidentiality privileges details are replicated. However, the information of confidentiality objects registered in the confidentiality level and roles registered in the confidentiality group are not duplicated.

Any confidentiality management role in any confidentiality matrix can execute this function.

The owner of the cloned confidentiality matrix is the role that executed this function.

Restrictions on confidential_matrix_name as strings are the same as for the pgx_create_confidential_matrix function.

Comments are also duplicated.

pgx_alter_confidential_matrix(confidential_matrix_name varchar, alter_object json)

void

Change the attributes of the confidentiality matrix named by confidential_matrix_name.

Only confidentiality management role for the specified confidentiality matrix can execute this function.

For alter_object, specify the attribute you want to change and the value after change in key-value format as follows. Attributes not specified remain unchanged.

'{
  "name":"matrix_foo",
  "comment":"This matrix is defined for foo.")
}'

name: Specify the name of the modified confidentiality matrix. Cannot be null. The function will fail if you specify the name of a confidentiality matrix that already exists.

comment: Specify a comment after the change. Can be null.

pgx_drop_confidential_matrix(confidential_matrix_name varchar, cascade bool, drop_role bool)

void

Drop the confidentiality matrix with the specified name.

Only confidentiality management role for the specified confidentiality matrix can execute this function.

Specify true for cascade to recursively check and remove objects that depend on this confidentiality matrix. For example, delete the confidentiality groups and confidentiality levels registered in this confidentiality matrix. Then remove the confidentiality privileges associated with that confidentiality level. To drop a confidentiality level, execute internally pgx_drop_confidential_level function with a cascade value. When dropping a confidentiality group, execute internally pgx_drop_confidential_group function with cascade and drop_role values. See also the descriptions of these functions. In particular, how the privilege of confidentiality objects are changed is important.

Specify false for cascade simply removes the confidentiality matrix. The function will fail if there are objects that depend on this confidentiality matrix.

If true is specified for drop_role, the confidentiality group role registered in this confidentiality matrix will be deleted. Naturally, it only makes sense when cascade is true.