On 06/24/2014 10:30 PM, Alvaro Herrera wrote:
> I haven't been following this thread, but this bit caught my attention.
> I'm not sure I agree that OR is always the right policy either.
> There is a case for a policy that says "forbid these rows to these guys,
> even if they have read permissions from elsewhere".
That's generally considered a "DENY" policy, a concept borrowed from ACLs.
You have access to a resource if:
- You have at least one policy that gives you access AND
- You have no policies that deny you access
> If OR is the only
> way to mix multiple policies there might not be a way to implement this.
I think that's a "later" myself, but we shouldn't design ourselves into
a corner where we can't support deny rules either.
-- Craig Ringer http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services