Row Access Policy

Use the CREATE ACCESS POLICY statement to create a row access policy for a specific row in a table. You must use a WHERE clause to set the access policy's condition.

Row Access Policy Use Case

You can also create a row access policy on the same table. For example, you can modify access to a customer table so a manager can view data in all rows. However, a broker can see a row only if the customer is associated with that broker:

      
=> select * from customers_table;

custID | password |     ssn
-------+----------+---------
    1  | secret   | 12345678901
    2  | secret   | 12345678902
    3  | secret   | 12345678903
(3 rows)

Each customer in the customers_table has an assigned broker:

      
=> select * from broker_info;

broker  | custID
--------+---------
u1      |     1
u2      |     2
u3      |     3

Create the access policy to allow a manager to see all data in all rows. Limit a broker's view to only those customers to which the broker is assigned:

=> CREATE ACCESS POLICY ON schema.customers_table
   FOR rows
   WHERE
      ENABLED_ROLE('manager')
         or
     (ENABLED_ROLE('broker') AND customers_table.custID in (SELECT broker_info.custID FROM broker_info
    WHERE broker = CURRENT_USER()))
   ENABLE;

Example

Suppose you have a customers table but want to limit users with the broker role to being able to view only customers to which they are assigned. This example shows how to create a row access policy that allows managers to view everything and brokers to view only their customers.

Run the following SQL statement:

=> SELECT * FROM customers_table; 

The customers_table appears as follows:

custID  |  password  |    SSN
--------+------------+--------------
  1     |   secret   |    123456789
  2     |   secret   |    123456780
  3     |   secret   |    123456781
(3 rows)

Run the following SQL statement:

=> SELECT * FROM broker_info; 

The broker_info table shows that each customer has an assigned broker:

broker  |  custID 
--------+---------
  user1 |        1  
  user2 |        2  
  user3 |        3  
(3 rows)

Create the following access policy that only allows brokers to see customers to which they are associated:

=> CREATE ACCESS POLICY on customers_table for rows
WHERE
   ENABLED_ROLE('manager')
   or
   (ENABLED_ROLE('broker') AND customers_table.custID in (SELECT broker_info.custID FROM broker_info
   WHERE broker = CURRENT_USER()))
ENABLE;

As user1, run the following SQL command:

user1=> SELECT * FROM customers_table; 

The following is returned because user1 is associated with custID 1:

custID  |  password  |    SSN
--------+------------+--------------
  1     |   secret   |    123456789
(1 rows)

 

In This Section