CREATE POLICY
Synopsis
Use the CREATE POLICY
statement to create a new row level security policy for a table.A policy grants the permission to select, insert, update, or delete rows that match the relevant policy expression.Row level security must be enabled on the table using ALTER TABLE for thepolicies to take effect.
Syntax
create_policy ::= CREATE POLICY name ON table_name
[ AS { PERMISSIVE | RESTRICTIVE } ]
[ FOR { ALL | SELECT | INSERT | UPDATE | DELETE } ]
[ TO { role_name
| PUBLIC
| CURRENT_USER
| SESSION_USER } [ , ... ] ]
[ USING ( using_expression ) ]
[ WITH CHECK ( check_expression ) ]
create_policy
Where
name
is the name of the new policy. This must be distinct from any other policy name for thattable.table_name
is the name of the table that the policy applies to.PERMISSIVE
/RESTRICTIVE
specifies that the policy is permissive or restrictive.While applying policies to a table, permissive policies are combined together using a logical OR operator,while restrictive policies are combined using logical AND operator. Restrictive policies are used toreduce the number of records that can be accessed. Default is permissive.role_name
is the role(s) to which the policy is applied. Default isPUBLIC
which applies thepolicy to all roles.using_expression
is a SQL conditional expression. Only rows for which the condition returns totrue will be visible in aSELECT
and available for modification in anUPDATE
orDELETE
.check_expression
is a SQL conditional expression that is used only forINSERT
andUPDATE
queries. Only rows for which the expression evaluates to true will be allowed in anINSERT
orUPDATE
. Note that unlikeusing_expression
, this is evaluated against the proposed new contentsof the row.
Examples
- Create a permissive policy.
yugabyte=# CREATE POLICY p1 ON document
USING (dlevel <= (SELECT level FROM user_account WHERE ybuser = current_user));
- Create a restricive policy.
yugabyte=# CREATE POLICY p_restrictive ON document AS RESTRICTIVE TO user_bob
USING (cid <> 44);
- Create a policy with a
CHECK
condition for inserts.
yugabyte=# CREATE POLICY p2 ON document FOR INSERT WITH CHECK (dauthor = current_user);
See also
当前内容版权归 YugabyteDB 或其关联方所有,如需对内容或内容相关联开源项目进行关注与资助,请访问 YugabyteDB .