May 18, 2021

Securing Data: should I be creating users+roles in my db to match users in my app?

Securing Data: should I be creating users+roles in my db to match users in my app?

I’m not sure if I’m wording this correctly, since most of my google results seem to show articles on how to set up https to a db, but basically I’m wondering on the proper design principles for securing access to a database in the following setup:

Currently I have one account on my db for my backend web server. My front end server then interacts with the backend via an API, but I was thinking how should I properly scope my API calls or data to ensure users can’t access other users data? I’m using Postgres, and was thinking every table should have a column with a userID so that the data can be scoped to a user, or should I be creating a user in my db for every user in my app and use row level permissions, then have my backend server authenticate to the db server as that role?

submitted by /u/plunk2000
[link] [comments]