Re: RLS Design

Robert,

* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> If you're going to have predicates be table-level and access grants be
> table-level, then what's the value in having policies? You could just
> do:
>
> ALTER TABLE table_name GRANT ROW ACCESS TO role_name USING quals;

Yes, this would be possible (and is nearly identical to the original
patch, except that this includes per-role considerations), however, my
thinking is that it'd be simpler to work with policy names rather than
sets of quals, to use when mapping to roles, and they would potentially
be useful later for other things (eg: for setting up which policies
should be applied when, or which should be OR' or AND"d with other
policies, or having groups of policies, etc).

> As I see it, the only value in having policies as separate objects is
> that you can then, by granting access to the policy, give a particular
> user a bundle of rights rather than having to grant each right
> individually. But with this design, you've got to create the policy,
> then add the quals to it for each table, and then you still have to
> give access individually for every <row, table> combination, so what
> value is the policy object itself providing?

To clarify this part- the idea is that you would simply declare a policy
name to be a set of quals for a particular table, so you declare them
and then map a policy to roles for which it should be used. In this
arrangement, you don't declare the policy explicitly before setting the
quals, those are done at the same time.

Thanks,

Stephen