Well, things did not work as I expected, which means there is more for me to learn. I am new to RLS usage. I want to implement this in a proper manner, so is the behavior described below correct? Are there other aspects of this I need to study? Thanks, in advance. Advice and links to articles are greatly appreciated. - Mark Here are two tests I ran using pg 12 (upgrade on the schedule). Given a table “customer” with a column “deadfiled” with a default of false. If deadfile is true, then exclude row from queries executed by role “staff”. Test 1 CREATE POLICY filter_customer_deadfiled ON public.customer AS PERMISSIVE FOR SELECT TO staff USING ((deadfiled IS NOT TRUE)); Select queries by staff do not include row where deadfiled is true. Update and insert queries by staff on visible rows fail. Test 2 CREATE POLICY filter_customer_deadfiled ON public.customer AS PERMISSIVE FOR ALL TO prm_staff USING ((deadfiled IS NOT TRUE)); Select queries by staff do not include row where deadfiled is true. Update insert queries by staff on visible rows succeed. This indicates that policy using FOR ALL allows CRUD, but if the policy states FOR SELECT then additional policies are needed for insert, update and delete.
|