Robert, * Robert Haas (robertmh...@gmail.com) wrote: > If you're going to have predicates be table-level and access grants be > table-level, then what's the value in having policies? You could just > do: > > ALTER TABLE table_name GRANT ROW ACCESS TO role_name USING quals;
Yes, this would be possible (and is nearly identical to the original patch, except that this includes per-role considerations), however, my thinking is that it'd be simpler to work with policy names rather than sets of quals, to use when mapping to roles, and they would potentially be useful later for other things (eg: for setting up which policies should be applied when, or which should be OR' or AND"d with other policies, or having groups of policies, etc). > As I see it, the only value in having policies as separate objects is > that you can then, by granting access to the policy, give a particular > user a bundle of rights rather than having to grant each right > individually. But with this design, you've got to create the policy, > then add the quals to it for each table, and then you still have to > give access individually for every <row, table> combination, so what > value is the policy object itself providing? To clarify this part- the idea is that you would simply declare a policy name to be a set of quals for a particular table, so you declare them and then map a policy to roles for which it should be used. In this arrangement, you don't declare the policy explicitly before setting the quals, those are done at the same time. Thanks, Stephen
signature.asc
Description: Digital signature