RBAC, ABAC, Row-Level Security, dynamic data masking, SSO/JWT, LDAP, OAuth2/OIDC — fine-grained authorisation at every level.
-- Create roles
CREATE ROLE analyst;
CREATE ROLE data_admin;
-- Grant privileges
GRANT SELECT ON ALL TABLES IN SCHEMA public TO analyst;
GRANT ALL ON ALL TABLES IN SCHEMA public TO data_admin;
-- Create user with role
CREATE USER alice IDENTIFIED BY 'secure_pass';
GRANT analyst TO alice;RLS policies filter rows based on the current user, ensuring each user only sees data they are authorised to access:
-- Enable RLS on a table
ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
-- Policy: users only see their own orders
CREATE POLICY user_orders ON orders
USING (user_id = current_user_id());
-- Policy: managers see all orders in their department
CREATE POLICY manager_orders ON orders
FOR SELECT TO manager_role
USING (department = current_user_department());Mask sensitive columns in query results without changing stored data:
-- Mask SSN: show only last 4 digits
ALTER TABLE patients ALTER COLUMN ssn SET (mask = 'XXX-XX-####');
-- Mask email: show only domain
ALTER TABLE users ALTER COLUMN email SET (mask = '****@domain');
-- Full access for specific role
GRANT UNMASK ON patients TO compliance_officer;Authenticate users against an existing LDAP or Active Directory server:
| Feature | Details |
|---|---|
| Protocol | LDAP v3, pure C11 client (no libldap) |
| Encryption | LDAPS port 636 via native TLS |
| User lookup | Subtree search for user DN |
| Group mapping | Up to 16 LDAP group → DB role mapping rules |
| Bind method | Simple bind with user credentials |
# /etc/absdb/absdb.conf
[ldap]
enabled = true
server = ldaps://ad.company.com:636
base_dn = dc=company,dc=com
bind_dn = cn=absdb-svc,ou=services,dc=company,dc=com
bind_pass = ${LDAP_BIND_PASS}
user_filter = (sAMAccountName=%s)
group_map = CN=DBAdmins,OU=Groups -> db_admin
group_map = CN=Analysts,OU=Groups -> analystAuthenticate with JWT tokens from Auth0, Okta, Keycloak, Azure AD, or Google:
| Feature | Details |
|---|---|
| Algorithms | HS256, RS256, ES256 |
| Claims extraction | sub, iss, exp, custom role_claim |
| JWKS cache | Up to 16 keys, auto-refresh |
| Clock skew | Configurable tolerance (default 60s) |
# /etc/absdb/absdb.conf
[jwt]
enabled = true
issuer = https://company.auth0.com/
audience = https://api.company.com
jwks_uri = https://company.auth0.com/.well-known/jwks.json
role_claim = https://company.com/rolesABAC extends RBAC with contextual attributes such as time-of-day, IP address, client certificate, and custom session attributes. Policies combine role checks with attribute checks for fine-grained control.
~154 KB binary · zero external dependencies · 2,737 tests passing