'Re: [GENERAL] Row security policies documentation question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postgresql-general
Subject:    Re: [GENERAL] Row security policies documentation question
From:       Adrian Klaver <adrian.klaver () aklaver ! com>
Date:       2016-05-31 23:48:48
Message-ID: a33f1176-a458-f712-0796-a94da89cda17 () aklaver ! com
[Download RAW message or body]

On 05/31/2016 01:59 PM, Alexander M. Sauer-Budge wrote:
> Hello,
> 
> Section 5.7. on Row Security Policies \
> (https://www.postgresql.org/docs/current/static/ddl-rowsecurity.html) for 9.5 says: \
>  As a simple example, here is how to create a policy on the account relation to \
> allow only members of the managers role to access rows, and only rows of their \
> accounts: 
> CREATE TABLE accounts (manager text, company text, contact_email text);
> 
> ALTER TABLE accounts ENABLE ROW LEVEL SECURITY;
> 
> CREATE POLICY account_managers ON accounts TO managers
> USING (manager = current_user);
> 
> If no role is specified, or the special user name PUBLIC is used, then the policy \
> applies to all users on the system. To allow all users to access their own row in a \
> users table, a simple policy can be used: 
> CREATE POLICY user_policy ON users
> USING (user = current_user);
> 
> ---
> 
> I'm trying understand the example as it references both an `accounts` table and a \
> `users` table which isn't defined. Is this a mishmash of example fragments or \
> should the CREATE POLICY statement reference the `accounts` table instead of \
> `users`? Specifically, what does `user` reference in the statement "CREATE POLICY \
> user_policy ON users USING (user = current_user);"? Is this a table column in a \
> `users` table the example doesn't define or does PostgreSQL keep track of what \
> user/role inserted a row and allow policies to use it?

For a good review of what is possible with RLS take a look at this blog:

http://blog.2ndquadrant.com/application-users-vs-row-level-security/

> 
> Thanks!
> Alex
> 
> 
> 


-- 
Adrian Klaver
adrian.klaver@aklaver.com


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic