newly created policies is that they apply for all commands and
roles, unless otherwise specified. Multiple policies may apply to a single
command; see below for more details.
<xref linkend="sql-createpolicy-summary"/> summarizes how the different types
of policy apply to specific commands.
</para>
<para>
For policies that can have both <literal>USING</literal>
and <literal>WITH CHECK</literal> expressions (<literal>ALL</literal>
and <literal>UPDATE</literal>), if no <literal>WITH CHECK</literal>
expression is defined, then the <literal>USING</literal> expression will be
used both to determine which rows are visible (normal
<literal>USING</literal> case) and which new rows will be allowed to be
added (<literal>WITH CHECK</literal> case).
</para>
<para>
If row-level security is enabled for a table, but no applicable policies
exist, a <quote>default deny</quote> policy is assumed, so that no rows will
be visible or updatable.
</para>
</refsect1>
<refsect1>
<title>Parameters</title>
<variablelist>
<varlistentry>
<term><replaceable class="parameter">name</replaceable></term>
<listitem>
<para>
The name of the policy to be created. This must be distinct from the
name of any other policy for the table.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="parameter">table_name</replaceable></term>
<listitem>
<para>
The name (optionally schema-qualified) of the table the
policy applies to.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>PERMISSIVE</literal></term>
<listitem>
<para>
Specify that the policy is to be created as a permissive policy.
All permissive policies which are applicable to a given query will
be combined together using the Boolean <quote>OR</quote> operator. By creating
permissive policies, administrators can add to the set of records
which can be accessed. Policies are permissive by default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>RESTRICTIVE</literal></term>
<listitem>
<para>
Specify that the policy is to be created as a restrictive policy.
All restrictive policies which are applicable to a given query will
be combined together using the Boolean <quote>AND</quote> operator. By creating
restrictive policies, administrators can reduce the set of records
which can be accessed as all restrictive policies must be passed for
each record.
</para>
<para>
Note that there needs to be at least one permissive policy to grant
access to records before restrictive policies can be usefully used to
reduce that access. If only restrictive policies exist, then no records
will be accessible. When a mix of permissive and restrictive policies
are present, a record is only accessible if at least one of the
permissive policies passes, in addition to all the restrictive
policies.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="parameter">command</replaceable></term>
<listitem>
<para>
The command to which the policy applies. Valid options are
<command>ALL</command>, <command>SELECT</command>,
<command>INSERT</command>, <command>UPDATE</command>,
and <command>DELETE</command>.
<command>ALL</command> is the default.
See below for specifics regarding how these are applied.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="parameter">role_name</replaceable></term>
<listitem>
<para>
The role(s) to which the policy is to be applied. The default is
<literal>PUBLIC</literal>, which will apply the policy to all roles.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="parameter">using_expression</replaceable></term>