AWS redshift documentation change
Summary
Added data sharing consideration section explaining that ROLE_IS_MEMBER_OF function evaluates using consumer cluster's security context when querying shared objects
Security assessment
This change clarifies security context behavior in data sharing scenarios but does not indicate a specific security vulnerability being fixed. It adds documentation about security implications of cross-cluster function evaluation.
Diff
diff --git a/redshift/latest/dg/r_ROLE_IS_MEMBER_OF.md b/redshift/latest/dg/r_ROLE_IS_MEMBER_OF.md index 2f107e53f..3523ce7c4 100644 --- a//redshift/latest/dg/r_ROLE_IS_MEMBER_OF.md +++ b//redshift/latest/dg/r_ROLE_IS_MEMBER_OF.md @@ -12,0 +13,4 @@ Returns true if the role is a member of another role. Superusers can check the m +**Data sharing consideration** + +When a consumer cluster queries a shared object that references this function, such as a view, RLS policy, or DDM policy, the function evaluates using the consumer cluster's security context. The consumer's local users, roles, and group memberships determine the result, not those defined on the producer cluster. If you intend to enforce the same permissions context that is implemented on the producer, ensure that the corresponding role names, group names, and user memberships exist on the consumer cluster and match those on the producer. +