1

I have a table named products in my postgresql 9.5 database. And this table fields are like this:

  • id
  • name
  • sales_area

And data is like this:

    id       name       sales_area
    1        prod1      A1
    2        prod2      A1
    3        prod3      A2
    4        prod4      A3

And I want to create a database user named user1, and this user should select, update and delete only A1 sales_area datas. Other database user will select, update and delete all datas.

Is this rule possible using policy? And How?

Improve this question
3
  • I don't think that is possible, but you can create a sample view(applying a condition where sales_area = 'A1') and grant permission to "user1" over new view. Commented Jul 17, 2018 at 9:04
  • Can user insert or delete using this view? Commented Jul 17, 2018 at 9:07
  • Yes, it should. there are some keywords and rule that should be taken care then it will allow to perform all the dml Commented Jul 17, 2018 at 9:12

2 Answers 2

Reset to default
1

I think that this can be done using row level security as follows:

ALTER TABLE products ENABLE ROW LEVEL SECURITY;

CREATE POLICY for_user1 ON products AS PERMISSIVE
   FOR ALL TO PUBLIC
   USING (current_user <> 'user1' OR sales_area = 'A1');

Then user1 can only access sales_area A1 and everybody else can access everything.

Some explanations:

  • FOR ALL means “for all actions”, see the documentation:

    Using ALL for a policy means that it will apply to all commands, regardless of the type of command.

  • The lack of a WITH CHECK clause does not mean that data modifications won't be checked. Again a quote from the documentation:

    ALL policies will be applied to both the selection side of a query and the modification side, using the USING expression for both cases if only a USING expression has been defined.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Does "For all to public" contains select insert update?
I have extended the answer in the hope to cover this and other questions.
0

About permission am not sure, but alternatively, you can create a view as below and give them permission to "user1" to a new view.

create table tx1(id int,name varchar(20),sales_area varchar(20));
insert into tx1 values(1,'prod1','A1');
insert into tx1 values(2,'prod2','A1');
insert into tx1 values(3,'prod3','A2');
insert into tx1 values(4,'prod4','A3');

create view tx1_view
as select * from tx1 where sales_area='A1';

insert into tx1_view values(5,'prod5','A1');

select * from tx1_view;

Demo

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.