This is a pretty simple step. As a starting point, you should create data access privileges for each table and view in your application. As a minimum you should provide select and modify privileges but we recommend the full set of select, insert, update and delete privileges for each.
In order to allow for future Veil2
system
privileges to be added, it is recommended that you begin
numbering your privileges from 20.
You should aim to keep the range of privilege_ids that are in use
as small as possible. You do not want unused ids, as this extends
the range and will lead to larger bitmaps being needed and
slightly reduced performance. Always allocate privilege_ids
manually (do not use a sequence), and if you need to delete some
privileges, try to subsequently re-use the original ids. Note
that Veil2
defines a number of its own
privileges. They should be left alone.
At this point you need to determine the appropriate scope for privileges on each relation (table or view). You may, at this point, discover scopes that you hadn't previously considered. You can go back to earlier steps if needed.
You may find that you are unable to determine a suitable scope for some relations. If so, leave it as null. When you test your system with an unprivileged user, you will have no access to this relation, and the scope that it needs will become apparent.
The demo sets a (very) minimal set of privileges. Look for STEP 7
in the file demo/veil2_demo--0.9.2 (beta).sql
.