On Wed, Jul 9, 2014 at 2:13 AM, Stephen Frost <sfr...@snowman.net> wrote: > Robert, > > * Robert Haas (robertmh...@gmail.com) wrote: >> If you're going to have predicates be table-level and access grants be >> table-level, then what's the value in having policies? You could just >> do: >> >> ALTER TABLE table_name GRANT ROW ACCESS TO role_name USING quals; > > Yes, this would be possible (and is nearly identical to the original > patch, except that this includes per-role considerations), however, my > thinking is that it'd be simpler to work with policy names rather than > sets of quals, to use when mapping to roles, and they would potentially > be useful later for other things (eg: for setting up which policies > should be applied when, or which should be OR' or AND"d with other > policies, or having groups of policies, etc).
Hmm. I guess that's reasonable. Should the policy be a per-table object (like rules, constraints, etc.) instead of a global object? You could do: ALTER TABLE table_name ADD POLICY policy_name (quals); ALTER TABLE table_name POLICY FOR role_name IS policy_name; ALTER TABLE table_name DROP POLICY policy_name; -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
