AWS redshift documentation change
Summary
Added data sharing consideration section explaining that USER_IS_MEMBER_OF function evaluates using consumer cluster's security context when querying shared objects
Security assessment
This change clarifies security context behavior in data sharing scenarios but does not indicate a specific security vulnerability being fixed. It adds documentation about security implications of cross-cluster function evaluation.
Diff
diff --git a/redshift/latest/dg/r_USER_IS_MEMBER_OF.md b/redshift/latest/dg/r_USER_IS_MEMBER_OF.md index 87f4fafde..0275cad57 100644 --- a//redshift/latest/dg/r_USER_IS_MEMBER_OF.md +++ b//redshift/latest/dg/r_USER_IS_MEMBER_OF.md @@ -16,0 +17,4 @@ Returns true if the user is a member of a role or group. Superusers can check th +**Data sharing consideration** + +When a consumer cluster queries a shared object that references this function, such as a view, RLS policy, or DDM policy, the function evaluates using the consumer cluster's security context. The consumer's local users, roles, and group memberships determine the result, not those defined on the producer cluster. If you intend to enforce the same permissions context that is implemented on the producer, ensure that the corresponding role names, group names, and user memberships exist on the consumer cluster and match those on the producer. +