MariaDB allows fine grained control of access over different database objects. Granting access to a very specific resource is easy. A problem comes up when one wants to grant access to a whole database except for a particular resource (table, column, etc.). The only solution thus far is to grant access to each individual resource and omit the ones that must not be accessible. Clearly this is not maintainable, nor practical.
This is where the DENY command comes in. The gist of the feature: A user will not be able to access denied resources unless the deny is explicitly revoked. MDEV-14443 - Reverse privileges in MariaDB is an ongoing tasks that will implement it. During this talk we will go through use cases, comparison to similar features of other databases well as implementation details of the feature which will (very likely) be part of MariaDB 10.9.
Speakers: Vicentiu Ciorbaru