I'm a little confused on why a SELECT policy fires against the NEW record for an UPDATE when using multiple FOR policies. The ALL policy doesn't seem to have that restriction.
DROP TABLE IF EXISTS t; CREATE USER simple; CREATE USER split; CREATE TABLE t(value int); grant select, update on table t to simple, split; INSERT INTO t values (1), (2); ALTER TABLE t ENABLE ROW LEVEL SECURITY; CREATE POLICY simple_all ON t TO simple USING (value > 0) WITH CHECK (true); CREATE POLICY split_select ON t FOR SELECT TO split USING (value > 0); CREATE POLICY split_update ON t FOR UPDATE TO split USING (true) WITH CHECK (true); SET session authorization simple; SELECT * FROM t; UPDATE t SET value = value * -1 WHERE value = 1; SET session authorization split; SELECT * FROM t; UPDATE t SET value = value * -1 WHERE value = 2; /* UPDATE fails with below error: psql:/tmp/t.sql:24: ERROR: 42501: new row violates row-level security policy for table "t" LOCATION: ExecWithCheckOptions, execMain.c:2045 */ SET session authorization default; SELECT * FROM t; This seems consistent in both Pg 9.5 and upcoming Pg 10. -- Rod Taylor