Policies Applied by Command Type and Multiple Policy Application

morerows="1">Command</entry> <entry><literal>SELECT/ALL policy</literal></entry> <entry><literal>INSERT/ALL policy</literal></entry> <entry spanname="update"><literal>UPDATE/ALL policy</literal></entry> <entry><literal>DELETE/ALL policy</literal></entry> </row> <row> <entry><literal>USING expression</literal></entry> <entry><literal>WITH CHECK expression</literal></entry> <entry><literal>USING expression</literal></entry> <entry><literal>WITH CHECK expression</literal></entry> <entry><literal>USING expression</literal></entry> </row> </thead> <tbody> <row> <entry><command>SELECT</command></entry> <entry>Existing row</entry> <entry>—</entry> <entry>—</entry> <entry>—</entry> <entry>—</entry> </row> <row> <entry><command>SELECT FOR UPDATE/SHARE</command></entry> <entry>Existing row</entry> <entry>—</entry> <entry>Existing row</entry> <entry>—</entry> <entry>—</entry> </row> <row> <entry><command>INSERT</command> / <command>MERGE ... THEN INSERT</command></entry> <entry>—</entry> <entry>New row</entry> <entry>—</entry> <entry>—</entry> <entry>—</entry> </row> <row> <entry><command>INSERT ... RETURNING</command></entry> <entry> New row <footnote id="rls-select-priv"> <para> If read access is required to the existing or new row (for example, a <literal>WHERE</literal> or <literal>RETURNING</literal> clause that refers to columns from the relation). </para> </footnote> </entry> <entry>New row</entry> <entry>—</entry> <entry>—</entry> <entry>—</entry> </row> <row> <entry><command>UPDATE</command> / <command>MERGE ... THEN UPDATE</command></entry> <entry> Existing & new rows <footnoteref linkend="rls-select-priv"/> </entry> <entry>—</entry> <entry>Existing row</entry> <entry>New row</entry> <entry>—</entry> </row> <row> <entry><command>DELETE</command></entry> <entry> Existing row <footnoteref linkend="rls-select-priv"/> </entry> <entry>—</entry> <entry>—</entry> <entry>—</entry> <entry>Existing row</entry> </row> <row> <entry><command>ON CONFLICT DO UPDATE</command></entry> <entry>Existing & new rows</entry> <entry>—</entry> <entry>Existing row</entry> <entry>New row</entry> <entry>—</entry> </row> </tbody> </tgroup> </table> </refsect2> <refsect2> <title>Application of Multiple Policies</title> <para> When multiple policies of different command types apply to the same command (for example, <literal>SELECT</literal> and <literal>UPDATE</literal> policies applied to an <literal>UPDATE</literal> command), then the user must have both types of permissions (for example, permission to select rows from the relation as well as permission to update them). Thus the expressions for one type of policy are combined with the expressions for the other type of policy using the <literal>AND</literal> operator. </para> <para> When multiple policies of the same command type apply to the same command, then there must be at least one <literal>PERMISSIVE</literal> policy granting access to the relation, and all of the <literal>RESTRICTIVE</literal> policies must pass. Thus all the <literal>PERMISSIVE</literal> policy expressions are combined using <literal>OR</literal>, all the <literal>RESTRICTIVE</literal> policy expressions are combined using <literal>AND</literal>, and the

This section details the policies applied by various SQL commands such as SELECT, SELECT FOR UPDATE/SHARE, INSERT, UPDATE, DELETE, and ON CONFLICT DO UPDATE. It specifies which type of policy (SELECT/ALL, INSERT/ALL, UPDATE/ALL, DELETE/ALL) and which expression (USING, WITH CHECK) applies to each command, indicating whether it's the existing row or the new row being checked. It also explains how multiple policies of different command types or of the same type are combined. Different command types are combined with the `AND` operator and same command types are combined with `OR` for PERMISSIVE and `AND` for RESTRICTIVE policies.