Veil2 is a Postgres extension for implementing relational security systems.

A relational security system Is one in which access rights are determined by the user’s relationships to the objects being accessed.

The primary aims of a relational security system are to make the management of access to data a seamless, and necessary, component of your application, and to make its implementation as simple as possible and as sophisticated as needed.

Veil2 is designed to make the implementation of relational security systems as easy as possible. It provides an extensible framework of permissions, permission checks, and user authentication so that you can start building a secure database in a matter of hours.

With Veil2 you secure the database itself and not just applications that use it. This means that even if your application server is compromised, an attacker's ability to access data will be limited to the data for which they can steal access credentials. This gives them little more access than the application itself would give them.

The security of database applications is more usually managed by building the access control rules into application servers, and typically these access control rules offer a fairly coarse level of granularity. This is often because reasoning about access controls at the level of functionality is difficult. With relational security modelling, it can be much easier to reason about what sort of user needs what sort of access, and using Veil2 the implementation of access control rules becomes trivial.

Veil2 is mostly implemented in SQL and PL/pgSQL, with a small amount of security and performance-critical code written in C. It is designed to be fast, flexible and customizable, and aims to make the security of your system better, faster, more complete and easier to understand.

If you would like to see what Veil2 can do, you can install and explore the Veil2 demos.