Query rewriting seems interesting, having a layer between your DB and your application would also allow various ACL stuff as well