B.6 Role Manipulation Functions

Function name	Return value	Description
pgx_add_role_to_confidential_group(confidential_matrix_name varchar, confidential_group_name varchar, role_name json)	void	Add a role to a confidentiality group. Only confidentiality management role for the specified confidentiality matrix can execute this function. Adds the role specified by role_name to the confidentiality group specified by confidential_group_name. If the role to be added has been granted broader privileges than the confidentiality privileges, revoke the privileges according to the confidentiality privileges. Be carefull when PUBLIC is granted to target confidentiality object. This is because granting privileges to PUBLIC is the same as granting privileges to all roles registered in the confidentiality matrix. This function will fail if a privilege granted indirectly to each role using PUBLIC is defined in the confidentiality privileges that should not be granted to that role. Similarly, this function also checks privileges granted indirectly through group roles that are not registered in the confidentiality matrix. In doing so, it recursively checks the chain of inheritance. Also, if the added role has stronger attributes than the confidentiality group, change the attributes to match the confidentiality group. This function will fail if a strong attribute is indirectly assigned using a group role that is not registered in the confidentiality matrix. role_name is specified as follows. '{["role1","role"]}'
pgx_remove_role_from_confidential_group(confidential_matrix_name varchar, confidential_group_name varchar, role_name json)	void	Remove a role from a confidentiality group. Only confidentiality management role for the specified confidentiality matrix can execute this function. Removes the role specified by role_name from the confidentiality group specified by confidential_group_name. This function internally executes a REVOKE statement to remove the role from the confidentiality group role. It does not change the attributes of the role being removed, nor the privileges granted to that role. Simply banish it from the group so that it cannot inherit privileges. The method of specifying role_name is the same as pgx_add_role_to_confidential_group function.

Function name

Return value

Description

pgx_add_role_to_confidential_group(confidential_matrix_name varchar, confidential_group_name varchar, role_name json)

void

Add a role to a confidentiality group.

Only confidentiality management role for the specified confidentiality matrix can execute this function.

Adds the role specified by role_name to the confidentiality group specified by confidential_group_name.

If the role to be added has been granted broader privileges than the confidentiality privileges, revoke the privileges according to the confidentiality privileges.

Be carefull when PUBLIC is granted to target confidentiality object. This is because granting privileges to PUBLIC is the same as granting privileges to all roles registered in the confidentiality matrix. This function will fail if a privilege granted indirectly to each role using PUBLIC is defined in the confidentiality privileges that should not be granted to that role. Similarly, this function also checks privileges granted indirectly through group roles that are not registered in the confidentiality matrix. In doing so, it recursively checks the chain of inheritance.

Also, if the added role has stronger attributes than the confidentiality group, change the attributes to match the confidentiality group.

This function will fail if a strong attribute is indirectly assigned using a group role that is not registered in the confidentiality matrix.

role_name is specified as follows.

'{["role1","role"]}'

pgx_remove_role_from_confidential_group(confidential_matrix_name varchar, confidential_group_name varchar, role_name json)

void

Remove a role from a confidentiality group.

Only confidentiality management role for the specified confidentiality matrix can execute this function.

Removes the role specified by role_name from the confidentiality group specified by confidential_group_name.

This function internally executes a REVOKE statement to remove the role from the confidentiality group role.

It does not change the attributes of the role being removed, nor the privileges granted to that role.

Simply banish it from the group so that it cannot inherit privileges.

The method of specifying role_name is the same as pgx_add_role_to_confidential_group function.