Security Definer Functions and Privilege Escalation Patterns
Security Definer Functions and Privilege Escalation Patterns
PostgreSQL functions run with the privileges of either the caller (SECURITY INVOKER, the default) or the function owner (SECURITY DEFINER). Security definer functions are a powerful tool for controlled privilege escalation — granting access to specific operations without exposing the underlying tables or giving out powerful roles.