On Wed, Jul 9, 2014 at 2:13 AM, Stephen Frost <sfr...@snowman.net> wrote:
> Robert,
> * Robert Haas (robertmh...@gmail.com) wrote:
>> If you're going to have predicates be table-level and access grants be
>> table-level, then what's the value in having policies?  You could just
>> do:
>> ALTER TABLE table_name GRANT ROW ACCESS TO role_name USING quals;
> Yes, this would be possible (and is nearly identical to the original
> patch, except that this includes per-role considerations), however, my
> thinking is that it'd be simpler to work with policy names rather than
> sets of quals, to use when mapping to roles, and they would potentially
> be useful later for other things (eg: for setting up which policies
> should be applied when, or which should be OR' or AND"d with other
> policies, or having groups of policies, etc).

Hmm.  I guess that's reasonable.  Should the policy be a per-table
object (like rules, constraints, etc.) instead of a global object?

You could do:

ALTER TABLE table_name ADD POLICY policy_name (quals);
ALTER TABLE table_name POLICY FOR role_name IS policy_name;
ALTER TABLE table_name DROP POLICY policy_name;

Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to