Re: RLS Design

>
> I think we do want a way to modify policies. However, we tend to
> avoid syntax that involves unnatural word order, as this certainly
> does. Maybe it's better to follow the example of CREATE RULE and
> CREATE TRIGGER and do something this instead:
>
> CREATE POLICY policy_name ON table_name USING quals;
> ALTER POLICY policy_name ON table_name USING quals;
> DROP POLICY policy_name ON table_name;
>
> The advantage of this is that you can regard "policy_name ON
> table_name" as the identifier for the policy throughout the system.
> You need some kind of identifier of that sort anyway to support
> COMMENT ON, SECURITY LABEL, and ALTER EXTENSION ADD/DROP for policies.

Sounds good. I certainly think it makes a lot of sense to include the
ALTER functionality, if for no other reason than ease of use.

Another item to consider, though I believe it can come later, is per-action
policies. Following the above suggested syntax, perhaps that might look
like the following?

CREATE POLICY policy_name ON table_name FOR action USING quals;
ALTER POLICY policy_name ON table_name FOR action USING quals;
DROP POLICY policy_name ON table_name FOR action;

I was also giving some thought to the use of "POLICY", perhaps I am wrong,
but it does seem it could be at risk of becoming ambiguous down the road.
I can't think of any specific examples at the moment, but my concern is
what happens if we wanted to add another "type" of policy, whatever that
might be, later? Would it make more sense to go ahead and qualify this a
little more with "ROW SECURITY POLICY"?

Thanks,
Adam

--
Adam Brightwell - adam(dot)brightwell(at)crunchydatasolutions(dot)com
Database Engineer - www.crunchydatasolutions.com