Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Seguir 1
Destacar 0
Wiki 捐赠
gooderp18绿色标准版
No puede seleccionar más de 25 temas Los temas deben comenzar con una letra o número, pueden incluir guiones ('-') y pueden tener hasta 35 caracteres de largo.
Rama: master
Ramas Etiquetas
${ item.name }
Crear rama ${ searchTerm }
desde 'master'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/sql-createpolicy.html

348 líneas
28KB
Original Enlace permanente Blame Histórico 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>CREATE POLICY</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="sql-createopfamily.html" title="CREATE OPERATOR FAMILY" /><link rel="next" href="sql-createprocedure.html" title="CREATE PROCEDURE" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">CREATE POLICY</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="sql-createopfamily.html" title="CREATE OPERATOR FAMILY">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="sql-commands.html" title="SQL Commands">Up</a></td><th width="60%" align="center">SQL Commands</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="sql-createprocedure.html" title="CREATE PROCEDURE">Next</a></td></tr></table><hr></hr></div><div class="refentry" id="SQL-CREATEPOLICY"><div class="titlepage"></div><a id="id-1.9.3.75.1" class="indexterm"></a><div class="refnamediv"><h2><span class="refentrytitle">CREATE POLICY</span></h2><p>CREATE POLICY — define a new row level security policy for a table</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><pre class="synopsis">

  3. CREATE POLICY <em class="replaceable"><code>name</code></em> ON <em class="replaceable"><code>table_name</code></em>

  4.     [ AS { PERMISSIVE | RESTRICTIVE } ]

  5.     [ FOR { ALL | SELECT | INSERT | UPDATE | DELETE } ]

  6.     [ TO { <em class="replaceable"><code>role_name</code></em> | PUBLIC | CURRENT_USER | SESSION_USER } [, ...] ]

  7.     [ USING ( <em class="replaceable"><code>using_expression</code></em> ) ]

  8.     [ WITH CHECK ( <em class="replaceable"><code>check_expression</code></em> ) ]

  9. </pre></div><div class="refsect1" id="id-1.9.3.75.5"><h2>Description</h2><p>

  10.    The <code class="command">CREATE POLICY</code> command defines a new row-level

  11.    security policy for a table.  Note that row-level security must be

  12.    enabled on the table (using <code class="command">ALTER TABLE ... ENABLE ROW LEVEL

  13.    SECURITY</code>) in order for created policies to be applied.

  14.   </p><p>

  15.    A policy grants the permission to select, insert, update, or delete rows

  16.    that match the relevant policy expression.  Existing table rows are

  17.    checked against the expression specified in <code class="literal">USING</code>,

  18.    while new rows that would be created via <code class="literal">INSERT</code>

  19.    or <code class="literal">UPDATE</code> are checked against the expression specified

  20.    in <code class="literal">WITH CHECK</code>.  When a <code class="literal">USING</code>

  21.    expression returns true for a given row then that row is visible to the

  22.    user, while if false or null is returned then the row is not visible.

  23.    When a <code class="literal">WITH CHECK</code> expression returns true for a row

  24.    then that row is inserted or updated, while if false or null is returned

  25.    then an error occurs.

  26.   </p><p>

  27.    For <code class="command">INSERT</code> and <code class="command">UPDATE</code> statements,

  28.    <code class="literal">WITH CHECK</code> expressions are enforced after

  29.    <code class="literal">BEFORE</code> triggers are fired, and before any actual data

  30.    modifications are made.  Thus a <code class="literal">BEFORE ROW</code> trigger may

  31.    modify the data to be inserted, affecting the result of the security

  32.    policy check.  <code class="literal">WITH CHECK</code> expressions are enforced

  33.    before any other constraints.

  34.   </p><p>

  35.    Policy names are per-table.  Therefore, one policy name can be used for many

  36.    different tables and have a definition for each table which is appropriate to

  37.    that table.

  38.   </p><p>

  39.    Policies can be applied for specific commands or for specific roles.  The

  40.    default for newly created policies is that they apply for all commands and

  41.    roles, unless otherwise specified.  Multiple policies may apply to a single

  42.    command; see below for more details.

  43.    <a class="xref" href="sql-createpolicy.html#SQL-CREATEPOLICY-SUMMARY" title="Table 256. Policies Applied by Command Type">Table 256</a> summarizes how the different types

  44.    of policy apply to specific commands.

  45.   </p><p>

  46.    For policies that can have both <code class="literal">USING</code>

  47.    and <code class="literal">WITH CHECK</code> expressions (<code class="literal">ALL</code>

  48.    and <code class="literal">UPDATE</code>), if no <code class="literal">WITH CHECK</code>

  49.    expression is defined, then the <code class="literal">USING</code> expression will be

  50.    used both to determine which rows are visible (normal

  51.    <code class="literal">USING</code> case) and which new rows will be allowed to be

  52.    added (<code class="literal">WITH CHECK</code> case).

  53.   </p><p>

  54.    If row-level security is enabled for a table, but no applicable policies

  55.    exist, a <span class="quote">“<span class="quote">default deny</span>”</span> policy is assumed, so that no rows will

  56.    be visible or updatable.

  57.   </p></div><div class="refsect1" id="id-1.9.3.75.6"><h2>Parameters</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><em class="replaceable"><code>name</code></em></span></dt><dd><p>

  58.       The name of the policy to be created.  This must be distinct from the

  59.       name of any other policy for the table.

  60.      </p></dd><dt><span class="term"><em class="replaceable"><code>table_name</code></em></span></dt><dd><p>

  61.       The name (optionally schema-qualified) of the table the

  62.       policy applies to.

  63.      </p></dd><dt><span class="term"><code class="literal">PERMISSIVE</code></span></dt><dd><p>

  64.       Specify that the policy is to be created as a permissive policy.

  65.       All permissive policies which are applicable to a given query will

  66.       be combined together using the Boolean <span class="quote">“<span class="quote">OR</span>”</span> operator.  By creating

  67.       permissive policies, administrators can add to the set of records

  68.       which can be accessed.  Policies are permissive by default.

  69.      </p></dd><dt><span class="term"><code class="literal">RESTRICTIVE</code></span></dt><dd><p>

  70.       Specify that the policy is to be created as a restrictive policy.

  71.       All restrictive policies which are applicable to a given query will

  72.       be combined together using the Boolean <span class="quote">“<span class="quote">AND</span>”</span> operator.  By creating

  73.       restrictive policies, administrators can reduce the set of records

  74.       which can be accessed as all restrictive policies must be passed for

  75.       each record.

  76.      </p><p>

  77.       Note that there needs to be at least one permissive policy to grant

  78.       access to records before restrictive policies can be usefully used to

  79.       reduce that access. If only restrictive policies exist, then no records

  80.       will be accessible. When a mix of permissive and restrictive policies

  81.       are present, a record is only accessible if at least one of the

  82.       permissive policies passes, in addition to all the restrictive

  83.       policies.

  84.      </p></dd><dt><span class="term"><em class="replaceable"><code>command</code></em></span></dt><dd><p>

  85.       The command to which the policy applies.  Valid options are

  86.       <code class="command">ALL</code>, <code class="command">SELECT</code>,

  87.       <code class="command">INSERT</code>, <code class="command">UPDATE</code>,

  88.       and <code class="command">DELETE</code>.

  89.       <code class="command">ALL</code> is the default.

  90.       See below for specifics regarding how these are applied.

  91.      </p></dd><dt><span class="term"><em class="replaceable"><code>role_name</code></em></span></dt><dd><p>

  92.       The role(s) to which the policy is to be applied.  The default is

  93.       <code class="literal">PUBLIC</code>, which will apply the policy to all roles.

  94.      </p></dd><dt><span class="term"><em class="replaceable"><code>using_expression</code></em></span></dt><dd><p>

  95.       Any <acronym class="acronym">SQL</acronym> conditional expression (returning

  96.       <code class="type">boolean</code>).  The conditional expression cannot contain

  97.       any aggregate or window functions.  This expression will be added

  98.       to queries that refer to the table if row level security is enabled.

  99.       Rows for which the expression returns true will be visible.  Any

  100.       rows for which the expression returns false or null will not be

  101.       visible to the user (in a <code class="command">SELECT</code>), and will not be

  102.       available for modification (in an <code class="command">UPDATE</code>

  103.       or <code class="command">DELETE</code>).  Such rows are silently suppressed; no error

  104.       is reported.

  105.      </p></dd><dt><span class="term"><em class="replaceable"><code>check_expression</code></em></span></dt><dd><p>

  106.       Any <acronym class="acronym">SQL</acronym> conditional expression (returning

  107.       <code class="type">boolean</code>).  The conditional expression cannot contain

  108.       any aggregate or window functions.  This expression will be used in

  109.       <code class="command">INSERT</code> and <code class="command">UPDATE</code> queries against

  110.       the table if row level security is enabled.  Only rows for which the

  111.       expression evaluates to true will be allowed.  An error will be thrown

  112.       if the expression evaluates to false or null for any of the records

  113.       inserted or any of the records that result from the update.  Note that

  114.       the <em class="replaceable"><code>check_expression</code></em> is

  115.       evaluated against the proposed new contents of the row, not the

  116.       original contents.

  117.      </p></dd></dl></div><div class="refsect2" id="id-1.9.3.75.6.3"><h3>Per-Command Policies</h3><div class="variablelist"><dl class="variablelist"><dt id="SQL-CREATEPOLICY-ALL"><span class="term"><code class="literal">ALL</code></span></dt><dd><p>

  118.          Using <code class="literal">ALL</code> for a policy means that it will apply

  119.          to all commands, regardless of the type of command.  If an

  120.          <code class="literal">ALL</code> policy exists and more specific policies

  121.          exist, then both the <code class="literal">ALL</code> policy and the more

  122.          specific policy (or policies) will be applied.

  123.          Additionally, <code class="literal">ALL</code> policies will be applied to

  124.          both the selection side of a query and the modification side, using

  125.          the <code class="literal">USING</code> expression for both cases if only

  126.          a <code class="literal">USING</code> expression has been defined.

  127.        </p><p>

  128.          As an example, if an <code class="literal">UPDATE</code> is issued, then the

  129.          <code class="literal">ALL</code> policy will be applicable both to what the

  130.          <code class="literal">UPDATE</code> will be able to select as rows to be

  131.          updated (applying the <code class="literal">USING</code> expression),

  132.          and to the resulting updated rows, to check if they are permitted

  133.          to be added to the table (applying the <code class="literal">WITH CHECK</code>

  134.          expression, if defined, and the <code class="literal">USING</code> expression

  135.          otherwise).  If an <code class="command">INSERT</code>

  136.          or <code class="command">UPDATE</code> command attempts to add rows to the

  137.          table that do not pass the <code class="literal">ALL</code>

  138.          policy's <code class="literal">WITH CHECK</code> expression, the entire

  139.          command will be aborted.

  140.        </p></dd><dt id="SQL-CREATEPOLICY-SELECT"><span class="term"><code class="literal">SELECT</code></span></dt><dd><p>

  141.          Using <code class="literal">SELECT</code> for a policy means that it will apply

  142.          to <code class="literal">SELECT</code> queries and whenever

  143.          <code class="literal">SELECT</code> permissions are required on the relation the

  144.          policy is defined for.  The result is that only those records from the

  145.          relation that pass the <code class="literal">SELECT</code> policy will be

  146.          returned during a <code class="literal">SELECT</code> query, and that queries

  147.          that require <code class="literal">SELECT</code> permissions, such as

  148.          <code class="literal">UPDATE</code>, will also only see those records

  149.          that are allowed by the <code class="literal">SELECT</code> policy.

  150.          A <code class="literal">SELECT</code> policy cannot have a <code class="literal">WITH

  151.          CHECK</code> expression, as it only applies in cases where

  152.          records are being retrieved from the relation.

  153.        </p></dd><dt id="SQL-CREATEPOLICY-INSERT"><span class="term"><code class="literal">INSERT</code></span></dt><dd><p>

  154.          Using <code class="literal">INSERT</code> for a policy means that it will apply

  155.          to <code class="literal">INSERT</code> commands.  Rows being inserted that do

  156.          not pass this policy will result in a policy violation error, and the

  157.          entire <code class="literal">INSERT</code> command will be aborted.

  158.          An <code class="literal">INSERT</code> policy cannot have

  159.          a <code class="literal">USING</code> expression, as it only applies in cases

  160.          where records are being added to the relation.

  161.        </p><p>

  162.          Note that <code class="literal">INSERT</code> with <code class="literal">ON CONFLICT DO

  163.          UPDATE</code> checks <code class="literal">INSERT</code> policies'

  164.          <code class="literal">WITH CHECK</code> expressions only for rows appended

  165.          to the relation by the <code class="literal">INSERT</code> path.

  166.        </p></dd><dt id="SQL-CREATEPOLICY-UPDATE"><span class="term"><code class="literal">UPDATE</code></span></dt><dd><p>

  167.          Using <code class="literal">UPDATE</code> for a policy means that it will apply

  168.          to <code class="literal">UPDATE</code>, <code class="literal">SELECT FOR UPDATE</code>

  169.          and <code class="literal">SELECT FOR SHARE</code> commands, as well as

  170.          auxiliary <code class="literal">ON CONFLICT DO UPDATE</code> clauses of

  171.          <code class="literal">INSERT</code> commands.  Since <code class="literal">UPDATE</code>

  172.          involves pulling an existing record and replacing it with a new

  173.          modified record, <code class="literal">UPDATE</code>

  174.          policies accept both a <code class="literal">USING</code> expression and

  175.          a <code class="literal">WITH CHECK</code> expression.

  176.          The <code class="literal">USING</code> expression determines which records

  177.          the <code class="literal">UPDATE</code> command will see to operate against,

  178.          while the <code class="literal">WITH CHECK</code> expression defines which

  179.          modified rows are allowed to be stored back into the relation.

  180.        </p><p>

  181.          Any rows whose updated values do not pass the

  182.          <code class="literal">WITH CHECK</code> expression will cause an error, and the

  183.          entire command will be aborted.  If only a <code class="literal">USING</code>

  184.          clause is specified, then that clause will be used for both

  185.          <code class="literal">USING</code> and <code class="literal">WITH CHECK</code> cases.

  186.        </p><p>

  187.          Typically an <code class="literal">UPDATE</code> command also needs to read

  188.          data from columns in the relation being updated (e.g., in a

  189.          <code class="literal">WHERE</code> clause or a <code class="literal">RETURNING</code>

  190.          clause, or in an expression on the right hand side of the

  191.          <code class="literal">SET</code> clause).  In this case,

  192.          <code class="literal">SELECT</code> rights are also required on the relation

  193.          being updated, and the appropriate <code class="literal">SELECT</code> or

  194.          <code class="literal">ALL</code> policies will be applied in addition to

  195.          the <code class="literal">UPDATE</code> policies.  Thus the user must have

  196.          access to the row(s) being updated through a <code class="literal">SELECT</code>

  197.          or <code class="literal">ALL</code> policy in addition to being granted

  198.          permission to update the row(s) via an <code class="literal">UPDATE</code>

  199.          or <code class="literal">ALL</code> policy.

  200.        </p><p>

  201.          When an <code class="literal">INSERT</code> command has an auxiliary

  202.          <code class="literal">ON CONFLICT DO UPDATE</code> clause, if the

  203.          <code class="literal">UPDATE</code> path is taken, the row to be updated is

  204.          first checked against the <code class="literal">USING</code> expressions of

  205.          any <code class="literal">UPDATE</code> policies, and then the new updated row

  206.          is checked against the <code class="literal">WITH CHECK</code> expressions.

  207.          Note, however, that unlike a standalone <code class="literal">UPDATE</code>

  208.          command, if the existing row does not pass the

  209.          <code class="literal">USING</code> expressions, an error will be thrown (the

  210.          <code class="literal">UPDATE</code> path will <span class="emphasis"><em>never</em></span> be silently

  211.          avoided).

  212.        </p></dd><dt id="SQL-CREATEPOLICY-DELETE"><span class="term"><code class="literal">DELETE</code></span></dt><dd><p>

  213.          Using <code class="literal">DELETE</code> for a policy means that it will apply

  214.          to <code class="literal">DELETE</code> commands.  Only rows that pass this

  215.          policy will be seen by a <code class="literal">DELETE</code> command.  There can

  216.          be rows that are visible through a <code class="literal">SELECT</code> that are

  217.          not available for deletion, if they do not pass the

  218.          <code class="literal">USING</code> expression for

  219.          the <code class="literal">DELETE</code> policy.

  220.        </p><p>

  221.          In most cases a <code class="literal">DELETE</code> command also needs to read

  222.          data from columns in the relation that it is deleting from (e.g.,

  223.          in a <code class="literal">WHERE</code> clause or a

  224.          <code class="literal">RETURNING</code> clause). In this case,

  225.          <code class="literal">SELECT</code> rights are also required on the relation,

  226.          and the appropriate <code class="literal">SELECT</code> or

  227.          <code class="literal">ALL</code> policies will be applied in addition to

  228.          the <code class="literal">DELETE</code> policies.  Thus the user must have

  229.          access to the row(s) being deleted through a <code class="literal">SELECT</code>

  230.          or <code class="literal">ALL</code> policy in addition to being granted

  231.          permission to delete the row(s) via a <code class="literal">DELETE</code> or

  232.          <code class="literal">ALL</code> policy.

  233.        </p><p>

  234.          A <code class="literal">DELETE</code> policy cannot have a <code class="literal">WITH

  235.          CHECK</code> expression, as it only applies in cases where

  236.          records are being deleted from the relation, so that there is no

  237.          new row to check.

  238.        </p></dd></dl></div><div class="table" id="SQL-CREATEPOLICY-SUMMARY"><p class="title"><strong>Table 256. Policies Applied by Command Type</strong></p><div class="table-contents"><table class="table" summary="Policies Applied by Command Type" border="1"><colgroup><col /><col /><col /><col class="update-using" /><col class="update-check" /><col /></colgroup><thead><tr><th rowspan="2">Command</th><th><code class="literal">SELECT/ALL policy</code></th><th><code class="literal">INSERT/ALL policy</code></th><th colspan="2"><code class="literal">UPDATE/ALL policy</code></th><th><code class="literal">DELETE/ALL policy</code></th></tr><tr><th><code class="literal">USING expression</code></th><th><code class="literal">WITH CHECK expression</code></th><th><code class="literal">USING expression</code></th><th><code class="literal">WITH CHECK expression</code></th><th><code class="literal">USING expression</code></th></tr></thead><tbody><tr><td><code class="command">SELECT</code></td><td>Existing row</td><td>—</td><td>—</td><td>—</td><td>—</td></tr><tr><td><code class="command">SELECT FOR UPDATE/SHARE</code></td><td>Existing row</td><td>—</td><td>Existing row</td><td>—</td><td>—</td></tr><tr><td><code class="command">INSERT</code></td><td>—</td><td>New row</td><td>—</td><td>—</td><td>—</td></tr><tr><td><code class="command">INSERT ... RETURNING</code></td><td>

  239.         New row <a href="#ftn.RLS-SELECT-PRIV" class="footnote"><sup class="footnote" id="RLS-SELECT-PRIV">[a]</sup></a>

  240.        </td><td>New row</td><td>—</td><td>—</td><td>—</td></tr><tr><td><code class="command">UPDATE</code></td><td>

  241.         Existing &amp; new rows <a href="sql-createpolicy.html#ftn.RLS-SELECT-PRIV" class="footnoteref"><sup class="footnoteref">[a]</sup></a>

  242.        </td><td>—</td><td>Existing row</td><td>New row</td><td>—</td></tr><tr><td><code class="command">DELETE</code></td><td>

  243.         Existing row <a href="sql-createpolicy.html#ftn.RLS-SELECT-PRIV" class="footnoteref"><sup class="footnoteref">[a]</sup></a>

  244.        </td><td>—</td><td>—</td><td>—</td><td>Existing row</td></tr><tr><td><code class="command">ON CONFLICT DO UPDATE</code></td><td>Existing &amp; new rows</td><td>—</td><td>Existing row</td><td>New row</td><td>—</td></tr></tbody><tbody class="footnotes"><tr><td colspan="6"><div id="ftn.RLS-SELECT-PRIV" class="footnote"><p><a href="#RLS-SELECT-PRIV" class="para"><sup class="para">[a] </sup></a>

  245.           If read access is required to the existing or new row (for example,

  246.           a <code class="literal">WHERE</code> or <code class="literal">RETURNING</code> clause

  247.           that refers to columns from the relation).

  248.          </p></div></td></tr></tbody></table></div></div><br class="table-break" /></div><div class="refsect2" id="id-1.9.3.75.6.4"><h3>Application of Multiple Policies</h3><p>

  249.     When multiple policies of different command types apply to the same command

  250.     (for example, <code class="literal">SELECT</code> and <code class="literal">UPDATE</code>

  251.     policies applied to an <code class="literal">UPDATE</code> command), then the user

  252.     must have both types of permissions (for example, permission to select rows

  253.     from the relation as well as permission to update them).  Thus the

  254.     expressions for one type of policy are combined with the expressions for

  255.     the other type of policy using the <code class="literal">AND</code> operator.

  256.    </p><p>

  257.     When multiple policies of the same command type apply to the same command,

  258.     then there must be at least one <code class="literal">PERMISSIVE</code> policy

  259.     granting access to the relation, and all of the

  260.     <code class="literal">RESTRICTIVE</code> policies must pass.  Thus all the

  261.     <code class="literal">PERMISSIVE</code> policy expressions are combined using

  262.     <code class="literal">OR</code>, all the <code class="literal">RESTRICTIVE</code> policy

  263.     expressions are combined using <code class="literal">AND</code>, and the results are

  264.     combined using <code class="literal">AND</code>.  If there are no

  265.     <code class="literal">PERMISSIVE</code> policies, then access is denied.

  266.    </p><p>

  267.     Note that, for the purposes of combining multiple policies,

  268.     <code class="literal">ALL</code> policies are treated as having the same type as

  269.     whichever other type of policy is being applied.

  270.    </p><p>

  271.     For example, in an <code class="literal">UPDATE</code> command requiring both

  272.     <code class="literal">SELECT</code> and <code class="literal">UPDATE</code> permissions, if

  273.     there are multiple applicable policies of each type, they will be combined

  274.     as follows:

  275. 

  276. </p><pre class="programlisting">

  277. <em class="replaceable"><code>expression</code></em> from RESTRICTIVE SELECT/ALL policy 1

  278. AND

  279. <em class="replaceable"><code>expression</code></em> from RESTRICTIVE SELECT/ALL policy 2

  280. AND

  281. ...

  282. AND

  283. (

  284.   <em class="replaceable"><code>expression</code></em> from PERMISSIVE SELECT/ALL policy 1

  285.   OR

  286.   <em class="replaceable"><code>expression</code></em> from PERMISSIVE SELECT/ALL policy 2

  287.   OR

  288.   ...

  289. )

  290. AND

  291. <em class="replaceable"><code>expression</code></em> from RESTRICTIVE UPDATE/ALL policy 1

  292. AND

  293. <em class="replaceable"><code>expression</code></em> from RESTRICTIVE UPDATE/ALL policy 2

  294. AND

  295. ...

  296. AND

  297. (

  298.   <em class="replaceable"><code>expression</code></em> from PERMISSIVE UPDATE/ALL policy 1

  299.   OR

  300.   <em class="replaceable"><code>expression</code></em> from PERMISSIVE UPDATE/ALL policy 2

  301.   OR

  302.   ...

  303. )

  304. </pre></div></div><div class="refsect1" id="id-1.9.3.75.7"><h2>Notes</h2><p>

  305.    You must be the owner of a table to create or change policies for it.

  306.   </p><p>

  307.    While policies will be applied for explicit queries against tables

  308.    in the database, they are not applied when the system is performing internal

  309.    referential integrity checks or validating constraints.  This means there are

  310.    indirect ways to determine that a given value exists.  An example of this is

  311.    attempting to insert a duplicate value into a column that is a primary key

  312.    or has a unique constraint.  If the insert fails then the user can infer that

  313.    the value already exists. (This example assumes that the user is permitted by

  314.    policy to insert records which they are not allowed to see.)  Another example

  315.    is where a user is allowed to insert into a table which references another,

  316.    otherwise hidden table.  Existence can be determined by the user inserting

  317.    values into the referencing table, where success would indicate that the

  318.    value exists in the referenced table.  These issues can be addressed by

  319.    carefully crafting policies to prevent users from being able to insert,

  320.    delete, or update records at all which might possibly indicate a value they

  321.    are not otherwise able to see, or by using generated values (e.g., surrogate

  322.    keys) instead of keys with external meanings.

  323.   </p><p>

  324.    Generally, the system will enforce filter conditions imposed using

  325.    security policies prior to qualifications that appear in user queries,

  326.    in order to prevent inadvertent exposure of the protected data to

  327.    user-defined functions which might not be trustworthy.  However,

  328.    functions and operators marked by the system (or the system

  329.    administrator) as <code class="literal">LEAKPROOF</code> may be evaluated before

  330.    policy expressions, as they are assumed to be trustworthy.

  331.   </p><p>

  332.    Since policy expressions

  333.    are added to the user's query directly, they will be run with the rights of

  334.    the user running the overall query.  Therefore, users who are using a given

  335.    policy must be able to access any tables or functions referenced in the

  336.    expression or they will simply receive a permission denied error when

  337.    attempting to query the table that has row-level security enabled.

  338.    This does not change how views

  339.    work, however.  As with normal queries and views, permission checks and

  340.    policies for the tables which are referenced by a view will use the view

  341.    owner's rights and any policies which apply to the view owner.

  342.   </p><p>

  343.    Additional discussion and practical examples can be found

  344.    in <a class="xref" href="ddl-rowsecurity.html" title="5.8. Row Security Policies">Section 5.8</a>.

  345.   </p></div><div class="refsect1" id="id-1.9.3.75.8"><h2>Compatibility</h2><p>

  346.    <code class="command">CREATE POLICY</code> is a <span class="productname">PostgreSQL</span>

  347.    extension.

  348.   </p></div><div class="refsect1" id="id-1.9.3.75.9"><h2>See Also</h2><span class="simplelist"><a class="xref" href="sql-alterpolicy.html" title="ALTER POLICY"><span class="refentrytitle">ALTER POLICY</span></a>, <a class="xref" href="sql-droppolicy.html" title="DROP POLICY"><span class="refentrytitle">DROP POLICY</span></a>, <a class="xref" href="sql-altertable.html" title="ALTER TABLE"><span class="refentrytitle">ALTER TABLE</span></a></span></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sql-createopfamily.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sql-commands.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sql-createprocedure.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">CREATE OPERATOR FAMILY </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> CREATE PROCEDURE</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1