[prev in list] [next in list] [prev in thread] [next in thread]
List: postgresql-general
Subject: Re: [GENERAL] Row security policies documentation question
From: Adrian Klaver <adrian.klaver () aklaver ! com>
Date: 2016-05-31 23:48:48
Message-ID: a33f1176-a458-f712-0796-a94da89cda17 () aklaver ! com
[Download RAW message or body]
On 05/31/2016 01:59 PM, Alexander M. Sauer-Budge wrote:
> Hello,
>
> Section 5.7. on Row Security Policies \
> (https://www.postgresql.org/docs/current/static/ddl-rowsecurity.html) for 9.5 says: \
> As a simple example, here is how to create a policy on the account relation to \
> allow only members of the managers role to access rows, and only rows of their \
> accounts:
> CREATE TABLE accounts (manager text, company text, contact_email text);
>
> ALTER TABLE accounts ENABLE ROW LEVEL SECURITY;
>
> CREATE POLICY account_managers ON accounts TO managers
> USING (manager = current_user);
>
> If no role is specified, or the special user name PUBLIC is used, then the policy \
> applies to all users on the system. To allow all users to access their own row in a \
> users table, a simple policy can be used:
> CREATE POLICY user_policy ON users
> USING (user = current_user);
>
> ---
>
> I'm trying understand the example as it references both an `accounts` table and a \
> `users` table which isn't defined. Is this a mishmash of example fragments or \
> should the CREATE POLICY statement reference the `accounts` table instead of \
> `users`? Specifically, what does `user` reference in the statement "CREATE POLICY \
> user_policy ON users USING (user = current_user);"? Is this a table column in a \
> `users` table the example doesn't define or does PostgreSQL keep track of what \
> user/role inserted a row and allow policies to use it?
For a good review of what is possible with RLS take a look at this blog:
http://blog.2ndquadrant.com/application-users-vs-row-level-security/
>
> Thanks!
> Alex
>
>
>
--
Adrian Klaver
adrian.klaver@aklaver.com
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic