B.3 Confidentiality Group Manipulation Functions

Function name	Return value	Description
pgx_create_confidential_group(confidential_matrix_name varchar, confidential_group_name varchar, options json, comment text)	void	Create the confidentiality group, registers it with the specified confidentiality matrix, and adds it to the pgx_confidential_group table with the specified comment and attributes specified in options. Only confidentiality management role for the specified confidentiality matrix can execute this function. However, setting some attributes requires superuser privileges, as described below. Therefore, by necessity, the confidentiality management role must be superuser if those attributes are to be set. This function internally uses the CREATE ROLE statement to create a confidentiality group role. The length of confidential_group_name must be less than 64 characters. Note that the units are not bytes. There are no restrictions on the characters that can be used in the confidential_group_name. When you specify the name of the confidentiality group to other functions, you must specify the same string that you specified to this function. Note that unlike most CREATE statements, confidentiality group names are case-sensitive. For options, specify the attributes of the confidentiality group as follows. If you specify NULL, the default value for each attribute will be set. '{ "SUPERUSER":false, "CREATEDB":true, "CREATEROLE":false, "REPLICATION":false, "BYPASSRLS":false }' The only attributes that can be specified are the SUPERUSER, CREATEDB, CREATEROLE, REPLICATION, and BYPASSRLS attributes that relate to access privileges to data. These attributes are some of the role attributes that can be specified in the CREATE ROLE statement. The attribute semantics and default values are the same as in the CREATE ROLE statement specification. As noted in the CREATE ROLE statement description, this function fails if a non-superuser specifies true for the SUPERUSER, REPLICATION, and BYPASSRLS attributes.
pgx_alter_confidential_group(confidential_matrix_name varchar, confidential_group_name varchar, alter_object json);	void	Change the attributes of a confidentiality group. Only confidentiality management role for the specified confidentiality matrix can execute this function. As described in pgx_create_confidential_group function, you must be superuser to set some attributes. This function internally uses the ALTER ROLE statement to change the attributes of the confidentiality group role. For alter_object, specify the attribute you want to change and the value after change in key-value format as follows. '{ "name":"group_new", "comment":"Members of this group have the highest confidential clearance.", "CREATEDB":false }' name: Specify the name of the confidentiality group after modification. Cannot be null. comment: Specify a comment after the change. Can be null. Other attributes are the same as options of pgx_create_confidential_group function. Attributes not specified are not changed. For example, if you change the attribute to a weaker one, such as changing CREATEDB to false, the attributes of roles registered in the confidentiality group will be similarly weakened.
pgx_drop_confidential_group(confidential_matrix_name varchar, confidential_group_name varchar, cascade bool, drop_role bool)	void	Drop the confidentiality group from the confidentiality matrix and delete a confidentiality group. Only confidentiality management role for the specified confidentiality matrix can execute this function. If true is specified for cascade, the confidentiality group can be deleted even if roles are registered in this confidentiality group. If false is specified for cascade, confidentiality groups that have roles registered cannot be deleted. Specify true for drop_role to drop the confidentiality group role. Roles registered in confidentiality groups remain. If false is specified for drop_role, the confidentiality group role will not be deleted. When you leave the confidentiality group role, the function revokes privileges from the confidentiality group role. The privilege to revoke is the privilege defined in confidentiality privileges.

Function name

Return value

Description

pgx_create_confidential_group(confidential_matrix_name varchar, confidential_group_name varchar, options json, comment text)

void

Create the confidentiality group, registers it with the specified confidentiality matrix, and adds it to the pgx_confidential_group table with the specified comment and attributes specified in options.

Only confidentiality management role for the specified confidentiality matrix can execute this function. However, setting some attributes requires superuser privileges, as described below. Therefore, by necessity, the confidentiality management role must be superuser if those attributes are to be set.

This function internally uses the CREATE ROLE statement to create a confidentiality group role.

The length of confidential_group_name must be less than 64 characters. Note that the units are not bytes.

There are no restrictions on the characters that can be used in the confidential_group_name.

When you specify the name of the confidentiality group to other functions, you must specify the same string that you specified to this function.

Note that unlike most CREATE statements, confidentiality group names are case-sensitive.

For options, specify the attributes of the confidentiality group as follows. If you specify NULL, the default value for each attribute will be set.

'{
  "SUPERUSER":false,
  "CREATEDB":true,
  "CREATEROLE":false,
  "REPLICATION":false,
  "BYPASSRLS":false
}'

The only attributes that can be specified are the SUPERUSER, CREATEDB, CREATEROLE, REPLICATION, and BYPASSRLS attributes that relate to access privileges to data.

These attributes are some of the role attributes that can be specified in the CREATE ROLE statement. The attribute semantics and default values are the same as in the CREATE ROLE statement specification.

As noted in the CREATE ROLE statement description, this function fails if a non-superuser specifies true for the SUPERUSER, REPLICATION, and BYPASSRLS attributes.

pgx_alter_confidential_group(confidential_matrix_name varchar, confidential_group_name varchar, alter_object json);

void

Change the attributes of a confidentiality group.

Only confidentiality management role for the specified confidentiality matrix can execute this function. As described in pgx_create_confidential_group function, you must be superuser to set some attributes.

This function internally uses the ALTER ROLE statement to change the attributes of the confidentiality group role.

For alter_object, specify the attribute you want to change and the value after change in key-value format as follows.

'{
  "name":"group_new",
  "comment":"Members of this group have the highest confidential clearance.",
  "CREATEDB":false
}'

name: Specify the name of the confidentiality group after modification. Cannot be null.

comment: Specify a comment after the change. Can be null.

Other attributes are the same as options of pgx_create_confidential_group function. Attributes not specified are not changed.

For example, if you change the attribute to a weaker one, such as changing CREATEDB to false, the attributes of roles registered in the confidentiality group will be similarly weakened.

pgx_drop_confidential_group(confidential_matrix_name varchar, confidential_group_name varchar, cascade bool, drop_role bool)

void

Drop the confidentiality group from the confidentiality matrix and delete a confidentiality group.

Only confidentiality management role for the specified confidentiality matrix can execute this function.

If true is specified for cascade, the confidentiality group can be deleted even if roles are registered in this confidentiality group.

If false is specified for cascade, confidentiality groups that have roles registered cannot be deleted.

Specify true for drop_role to drop the confidentiality group role. Roles registered in confidentiality groups remain. If false is specified for drop_role, the confidentiality group role will not be deleted.

When you leave the confidentiality group role, the function revokes privileges from the confidentiality group role. The privilege to revoke is the privilege defined in confidentiality privileges.