Home Explore Blog CI



postgresql
8th chunk of `doc/src/sgml/ref/create_policy.sgml`
93e262de8961f986a7e1924b74871272754b55f34c9a35400000000100000bbf
 different command types apply to the same command
    (for example, <literal>SELECT</literal> and <literal>UPDATE</literal>
    policies applied to an <literal>UPDATE</literal> command), then the user
    must have both types of permissions (for example, permission to select rows
    from the relation as well as permission to update them).  Thus the
    expressions for one type of policy are combined with the expressions for
    the other type of policy using the <literal>AND</literal> operator.
   </para>

   <para>
    When multiple policies of the same command type apply to the same command,
    then there must be at least one <literal>PERMISSIVE</literal> policy
    granting access to the relation, and all of the
    <literal>RESTRICTIVE</literal> policies must pass.  Thus all the
    <literal>PERMISSIVE</literal> policy expressions are combined using
    <literal>OR</literal>, all the <literal>RESTRICTIVE</literal> policy
    expressions are combined using <literal>AND</literal>, and the results are
    combined using <literal>AND</literal>.  If there are no
    <literal>PERMISSIVE</literal> policies, then access is denied.
   </para>

   <para>
    Note that, for the purposes of combining multiple policies,
    <literal>ALL</literal> policies are treated as having the same type as
    whichever other type of policy is being applied.
   </para>

   <para>
    For example, in an <literal>UPDATE</literal> command requiring both
    <literal>SELECT</literal> and <literal>UPDATE</literal> permissions, if
    there are multiple applicable policies of each type, they will be combined
    as follows:

<programlisting>
<replaceable>expression</replaceable> from RESTRICTIVE SELECT/ALL policy 1
AND
<replaceable>expression</replaceable> from RESTRICTIVE SELECT/ALL policy 2
AND
...
AND
(
  <replaceable>expression</replaceable> from PERMISSIVE SELECT/ALL policy 1
  OR
  <replaceable>expression</replaceable> from PERMISSIVE SELECT/ALL policy 2
  OR
  ...
)
AND
<replaceable>expression</replaceable> from RESTRICTIVE UPDATE/ALL policy 1
AND
<replaceable>expression</replaceable> from RESTRICTIVE UPDATE/ALL policy 2
AND
...
AND
(
  <replaceable>expression</replaceable> from PERMISSIVE UPDATE/ALL policy 1
  OR
  <replaceable>expression</replaceable> from PERMISSIVE UPDATE/ALL policy 2
  OR
  ...
)
</programlisting></para>

  </refsect2>
 </refsect1>

 <refsect1>
  <title>Notes</title>

  <para>
   You must be the owner of a table to create or change policies for it.
  </para>

  <para>
   While policies will be applied for explicit queries against tables
   in the database, they are not applied when the system is performing internal
   referential integrity checks or validating constraints.  This means there are
   indirect ways to determine that a given value exists.  An example of this is
   attempting to insert a duplicate value into a column that is a primary key
   or has a unique constraint.  If the insert fails then the user can infer that
   the value already
Title: Combining Multiple Policies and Notes on RLS
Summary
This section explains how multiple row-level security (RLS) policies are combined when different command types (e.g., SELECT and UPDATE) or the same command type apply to a single command. It details the use of AND and OR operators to combine RESTRICTIVE and PERMISSIVE policies, respectively. 'ALL' policies are treated as the same type as other policies being applied. An example is provided to illustrate the combination of multiple SELECT and UPDATE policies in an UPDATE command. The section also includes notes stating that users must be the table owner to create or change policies and that policies aren't applied during internal referential integrity checks or constraint validations.