Craig, * Craig Ringer (cr...@2ndquadrant.com) wrote: > On 06/24/2014 10:30 PM, Alvaro Herrera wrote: > > I haven't been following this thread, but this bit caught my attention. > > I'm not sure I agree that OR is always the right policy either. > > There is a case for a policy that says "forbid these rows to these guys, > > even if they have read permissions from elsewhere". > > That's generally considered a "DENY" policy, a concept borrowed from ACLs.
Right.
> > If OR is the only
> > way to mix multiple policies there might not be a way to implement this.
>
> I think that's a "later" myself, but we shouldn't design ourselves into
> a corner where we can't support deny rules either.
Agreed, but I don't want to get so wrapped up in all of this that we end
up with a set of requirements so long that we'll never be able to
accomplish them all in a single release...
Thanks!
Stephen
signature.asc
Description: Digital signature
