Search Postgresql Archives

Re: HIPPA (was Re: Anyone know ...)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Karsten-
You would need some manner of DML operation to take place (in this way the DB trigger could sense the change in DB state to activate e-mail)
Otherwise you could do so at your Webapp login
Does this answer your question?
Tak
Martin--
--------------------------------------------------------------------------- 
This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited.
--------------------------------------------------------------------------- 
Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire.
----- Original Message ----- 
From: "Karsten Hilbert" <Karsten.Hilbert@xxxxxxx>
To: <pgsql-general@xxxxxxxxxxxxxx>
Sent: Friday, March 09, 2007 11:45 AM
Subject: Re: HIPPA (was Re: [GENERAL] Anyone know ...)


> On Fri, Mar 09, 2007 at 11:02:45AM -0500, Kenneth Downs wrote:
> 
>> >>First, security is defined directly in terms of tables, it is not 
>> >>arbitrated by code.  The "public" group has SELECT access to the 
>> >>articles table and the schedules tables, that's it.  If a person figures 
>> >>out how our links work and tries to access the "claims" table it will 
>> >>simply come up blank (and we get an email).
>> 
>> If a user has not logged in, that is, if they are an anonymous visitor, 
>> the web framework will connect to the database as the default "public" 
>> user.  Our system is deny-by-default, so this user cannot actually read 
>> >from any table unless specifically granted permission.  In the case 
>> being discussed, the public user is given SELECT permission on some 
>> columns of the insurance carriers table, and on the schedules table.
>> 
>> The column-level security is important, as you don't want anybody seeing 
>> the provider id!
>> 
>> If the user figures out our URL scheme, they might try something like 
>> "?gp_page=patients" and say "Wow I'm clever I'm going to look at the 
>> patients table", except that the public user has no privilege on the 
>> table.  The db server will throw a permission denied error.
> 
> My interest was more towards the "we get an email" part.
> What level do you send that from ? A trigger ?
> 
> Karsten
> -- 
> GPG key ID E4071346 @ wwwkeys.pgp.net
> E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 2: Don't 'kill -9' the postmaster
>

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux