On 06/24/2014 10:30 PM, Alvaro Herrera wrote: > I haven't been following this thread, but this bit caught my attention. > I'm not sure I agree that OR is always the right policy either. > There is a case for a policy that says "forbid these rows to these guys, > even if they have read permissions from elsewhere".
That's generally considered a "DENY" policy, a concept borrowed from ACLs. You have access to a resource if: - You have at least one policy that gives you access AND - You have no policies that deny you access > If OR is the only > way to mix multiple policies there might not be a way to implement this. I think that's a "later" myself, but we shouldn't design ourselves into a corner where we can't support deny rules either. -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers