On Thu, Dec 20, 2012 at 4:50 PM, Kevin Grittner <kgri...@mail.com> wrote: > I don't think I like ALTER TABLE as a syntax for row level > security. How about using existing GRANT syntax but allowing a > WHERE clause? That seems more natural to me, and it would make it > easy to apply the same conditions to multiple types of operations > when desired, but use different expressions when desired. Without > having spent a lot of time pondering it, I think that if row level > SELECT permissions exist, they would need to be met on the OLD > tuple to allow DELETE or UPDATE, and UPDATE row level permissions > would be applied to the NEW tuple.
This gets thorny if a role inherits from multiple roles each having a different RLS predicate. You can OR them together, but performance will likely suck. I initially thought of this as well, but I think it's just too ugly to live. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
