1CREATE POLICY(7)         PostgreSQL 16.1 Documentation        CREATE POLICY(7)
2
3
4

NAME

6       CREATE_POLICY - define a new row-level security policy for a table
7

SYNOPSIS

9       CREATE POLICY name ON table_name
10           [ AS { PERMISSIVE | RESTRICTIVE } ]
11           [ FOR { ALL | SELECT | INSERT | UPDATE | DELETE } ]
12           [ TO { role_name | PUBLIC | CURRENT_ROLE | CURRENT_USER | SESSION_USER } [, ...] ]
13           [ USING ( using_expression ) ]
14           [ WITH CHECK ( check_expression ) ]
15

DESCRIPTION

17       The CREATE POLICY command defines a new row-level security policy for a
18       table. Note that row-level security must be enabled on the table (using
19       ALTER TABLE ... ENABLE ROW LEVEL SECURITY) in order for created
20       policies to be applied.
21
22       A policy grants the permission to select, insert, update, or delete
23       rows that match the relevant policy expression. Existing table rows are
24       checked against the expression specified in USING, while new rows that
25       would be created via INSERT or UPDATE are checked against the
26       expression specified in WITH CHECK. When a USING expression returns
27       true for a given row then that row is visible to the user, while if
28       false or null is returned then the row is not visible. When a WITH
29       CHECK expression returns true for a row then that row is inserted or
30       updated, while if false or null is returned then an error occurs.
31
32       For INSERT, UPDATE, and MERGE statements, WITH CHECK expressions are
33       enforced after BEFORE triggers are fired, and before any actual data
34       modifications are made. Thus a BEFORE ROW trigger may modify the data
35       to be inserted, affecting the result of the security policy check.
36       WITH CHECK expressions are enforced before any other constraints.
37
38       Policy names are per-table. Therefore, one policy name can be used for
39       many different tables and have a definition for each table which is
40       appropriate to that table.
41
42       Policies can be applied for specific commands or for specific roles.
43       The default for newly created policies is that they apply for all
44       commands and roles, unless otherwise specified. Multiple policies may
45       apply to a single command; see below for more details.  Table 292
46       summarizes how the different types of policy apply to specific
47       commands.
48
49       For policies that can have both USING and WITH CHECK expressions (ALL
50       and UPDATE), if no WITH CHECK expression is defined, then the USING
51       expression will be used both to determine which rows are visible
52       (normal USING case) and which new rows will be allowed to be added
53       (WITH CHECK case).
54
55       If row-level security is enabled for a table, but no applicable
56       policies exist, a “default deny” policy is assumed, so that no rows
57       will be visible or updatable.
58

PARAMETERS

60       name
61           The name of the policy to be created. This must be distinct from
62           the name of any other policy for the table.
63
64       table_name
65           The name (optionally schema-qualified) of the table the policy
66           applies to.
67
68       PERMISSIVE
69           Specify that the policy is to be created as a permissive policy.
70           All permissive policies which are applicable to a given query will
71           be combined together using the Boolean “OR” operator. By creating
72           permissive policies, administrators can add to the set of records
73           which can be accessed. Policies are permissive by default.
74
75       RESTRICTIVE
76           Specify that the policy is to be created as a restrictive policy.
77           All restrictive policies which are applicable to a given query will
78           be combined together using the Boolean “AND” operator. By creating
79           restrictive policies, administrators can reduce the set of records
80           which can be accessed as all restrictive policies must be passed
81           for each record.
82
83           Note that there needs to be at least one permissive policy to grant
84           access to records before restrictive policies can be usefully used
85           to reduce that access. If only restrictive policies exist, then no
86           records will be accessible. When a mix of permissive and
87           restrictive policies are present, a record is only accessible if at
88           least one of the permissive policies passes, in addition to all the
89           restrictive policies.
90
91       command
92           The command to which the policy applies. Valid options are ALL,
93           SELECT, INSERT, UPDATE, and DELETE.  ALL is the default. See below
94           for specifics regarding how these are applied.
95
96       role_name
97           The role(s) to which the policy is to be applied. The default is
98           PUBLIC, which will apply the policy to all roles.
99
100       using_expression
101           Any SQL conditional expression (returning boolean). The conditional
102           expression cannot contain any aggregate or window functions. This
103           expression will be added to queries that refer to the table if
104           row-level security is enabled. Rows for which the expression
105           returns true will be visible. Any rows for which the expression
106           returns false or null will not be visible to the user (in a
107           SELECT), and will not be available for modification (in an UPDATE
108           or DELETE). Such rows are silently suppressed; no error is
109           reported.
110
111       check_expression
112           Any SQL conditional expression (returning boolean). The conditional
113           expression cannot contain any aggregate or window functions. This
114           expression will be used in INSERT and UPDATE queries against the
115           table if row-level security is enabled. Only rows for which the
116           expression evaluates to true will be allowed. An error will be
117           thrown if the expression evaluates to false or null for any of the
118           records inserted or any of the records that result from the update.
119           Note that the check_expression is evaluated against the proposed
120           new contents of the row, not the original contents.
121
122   Per-Command Policies
123       ALL
124           Using ALL for a policy means that it will apply to all commands,
125           regardless of the type of command. If an ALL policy exists and more
126           specific policies exist, then both the ALL policy and the more
127           specific policy (or policies) will be applied. Additionally, ALL
128           policies will be applied to both the selection side of a query and
129           the modification side, using the USING expression for both cases if
130           only a USING expression has been defined.
131
132           As an example, if an UPDATE is issued, then the ALL policy will be
133           applicable both to what the UPDATE will be able to select as rows
134           to be updated (applying the USING expression), and to the resulting
135           updated rows, to check if they are permitted to be added to the
136           table (applying the WITH CHECK expression, if defined, and the
137           USING expression otherwise). If an INSERT or UPDATE command
138           attempts to add rows to the table that do not pass the ALL policy's
139           WITH CHECK expression, the entire command will be aborted.
140
141       SELECT
142           Using SELECT for a policy means that it will apply to SELECT
143           queries and whenever SELECT permissions are required on the
144           relation the policy is defined for. The result is that only those
145           records from the relation that pass the SELECT policy will be
146           returned during a SELECT query, and that queries that require
147           SELECT permissions, such as UPDATE, will also only see those
148           records that are allowed by the SELECT policy. A SELECT policy
149           cannot have a WITH CHECK expression, as it only applies in cases
150           where records are being retrieved from the relation.
151
152       INSERT
153           Using INSERT for a policy means that it will apply to INSERT
154           commands and MERGE commands that contain INSERT actions. Rows being
155           inserted that do not pass this policy will result in a policy
156           violation error, and the entire INSERT command will be aborted. An
157           INSERT policy cannot have a USING expression, as it only applies in
158           cases where records are being added to the relation.
159
160           Note that INSERT with ON CONFLICT DO UPDATE checks INSERT policies'
161           WITH CHECK expressions only for rows appended to the relation by
162           the INSERT path.
163
164       UPDATE
165           Using UPDATE for a policy means that it will apply to UPDATE,
166           SELECT FOR UPDATE and SELECT FOR SHARE commands, as well as
167           auxiliary ON CONFLICT DO UPDATE clauses of INSERT commands.  MERGE
168           commands containing UPDATE actions are affected as well. Since
169           UPDATE involves pulling an existing record and replacing it with a
170           new modified record, UPDATE policies accept both a USING expression
171           and a WITH CHECK expression. The USING expression determines which
172           records the UPDATE command will see to operate against, while the
173           WITH CHECK expression defines which modified rows are allowed to be
174           stored back into the relation.
175
176           Any rows whose updated values do not pass the WITH CHECK expression
177           will cause an error, and the entire command will be aborted. If
178           only a USING clause is specified, then that clause will be used for
179           both USING and WITH CHECK cases.
180
181           Typically an UPDATE command also needs to read data from columns in
182           the relation being updated (e.g., in a WHERE clause or a RETURNING
183           clause, or in an expression on the right hand side of the SET
184           clause). In this case, SELECT rights are also required on the
185           relation being updated, and the appropriate SELECT or ALL policies
186           will be applied in addition to the UPDATE policies. Thus the user
187           must have access to the row(s) being updated through a SELECT or
188           ALL policy in addition to being granted permission to update the
189           row(s) via an UPDATE or ALL policy.
190
191           When an INSERT command has an auxiliary ON CONFLICT DO UPDATE
192           clause, if the UPDATE path is taken, the row to be updated is first
193           checked against the USING expressions of any UPDATE policies, and
194           then the new updated row is checked against the WITH CHECK
195           expressions. Note, however, that unlike a standalone UPDATE
196           command, if the existing row does not pass the USING expressions,
197           an error will be thrown (the UPDATE path will never be silently
198           avoided).
199
200       DELETE
201           Using DELETE for a policy means that it will apply to DELETE
202           commands. Only rows that pass this policy will be seen by a DELETE
203           command. There can be rows that are visible through a SELECT that
204           are not available for deletion, if they do not pass the USING
205           expression for the DELETE policy.
206
207           In most cases a DELETE command also needs to read data from columns
208           in the relation that it is deleting from (e.g., in a WHERE clause
209           or a RETURNING clause). In this case, SELECT rights are also
210           required on the relation, and the appropriate SELECT or ALL
211           policies will be applied in addition to the DELETE policies. Thus
212           the user must have access to the row(s) being deleted through a
213           SELECT or ALL policy in addition to being granted permission to
214           delete the row(s) via a DELETE or ALL policy.
215
216           A DELETE policy cannot have a WITH CHECK expression, as it only
217           applies in cases where records are being deleted from the relation,
218           so that there is no new row to check.
219
220       Table 292. Policies Applied by Command Type
221       ┌─────────────┬─────────────┬────────────┬─────────────────────────┬────────────┐
222       │             │ SELECT/ALL  INSERT/ALL UPDATE/ALL policy       DELETE/ALL 
223       │             │ policy      policy     │                         │ policy     
224Command      ├─────────────┼────────────┼────────────┬────────────┼────────────┤
225       │             │ USING       WITH CHECK USING      WITH CHECK USING      
226       │             │ expression  expression expression expression expression 
227       ├─────────────┼─────────────┼────────────┼────────────┼────────────┼────────────┤
228SELECT       │ Existing    │ —          │ —          │ —          │ —          │
229       │             │ row         │            │            │            │            │
230       ├─────────────┼─────────────┼────────────┼────────────┼────────────┼────────────┤
231SELECT FOR   │ Existing    │ —          │ Existing   │ —          │ —          │
232UPDATE/SHARE │ row         │            │ row        │            │            │
233       ├─────────────┼─────────────┼────────────┼────────────┼────────────┼────────────┤
234INSERT /     │ —           │ New row    │ —          │ —          │ —          │
235MERGE ...    │             │            │            │            │            │
236THEN INSERT  │             │            │            │            │            │
237       ├─────────────┼─────────────┼────────────┼────────────┼────────────┼────────────┤
238INSERT ...   │ New row [a] │ New row    │ —          │ —          │ —          │
239RETURNING    │             │            │            │            │            │
240       ├─────────────┼─────────────┼────────────┼────────────┼────────────┼────────────┤
241UPDATE /     │ Existing &  │ —          │ Existing   │ New row    │ —          │
242MERGE ...    │ new rows    │            │ row        │            │            │
243THEN UPDATE  │ [a]         │            │            │            │            │
244       ├─────────────┼─────────────┼────────────┼────────────┼────────────┼────────────┤
245DELETE       │ Existing    │ —          │ —          │ —          │ Existing   │
246       │             │ row [a]     │            │            │            │ row        │
247       ├─────────────┼─────────────┼────────────┼────────────┼────────────┼────────────┤
248ON CONFLICT  │ Existing &  │ —          │ Existing   │ New row    │ —          │
249DO UPDATE    │ new rows    │            │ row        │            │            │
250       ├─────────────┴─────────────┴────────────┴────────────┴────────────┴────────────┤
251       │----                                                                           │
252       │[a] If read access is required to the existing or new row (for                 │
253       │example, a WHERE or RETURNING clause that refers to columns from               │
254       │the relation).                                                                 │
255       └───────────────────────────────────────────────────────────────────────────────┘
256
257   Application of Multiple Policies
258       When multiple policies of different command types apply to the same
259       command (for example, SELECT and UPDATE policies applied to an UPDATE
260       command), then the user must have both types of permissions (for
261       example, permission to select rows from the relation as well as
262       permission to update them). Thus the expressions for one type of policy
263       are combined with the expressions for the other type of policy using
264       the AND operator.
265
266       When multiple policies of the same command type apply to the same
267       command, then there must be at least one PERMISSIVE policy granting
268       access to the relation, and all of the RESTRICTIVE policies must pass.
269       Thus all the PERMISSIVE policy expressions are combined using OR, all
270       the RESTRICTIVE policy expressions are combined using AND, and the
271       results are combined using AND. If there are no PERMISSIVE policies,
272       then access is denied.
273
274       Note that, for the purposes of combining multiple policies, ALL
275       policies are treated as having the same type as whichever other type of
276       policy is being applied.
277
278       For example, in an UPDATE command requiring both SELECT and UPDATE
279       permissions, if there are multiple applicable policies of each type,
280       they will be combined as follows:
281
282           expression from RESTRICTIVE SELECT/ALL policy 1
283           AND
284           expression from RESTRICTIVE SELECT/ALL policy 2
285           AND
286           ...
287           AND
288           (
289             expression from PERMISSIVE SELECT/ALL policy 1
290             OR
291             expression from PERMISSIVE SELECT/ALL policy 2
292             OR
293             ...
294           )
295           AND
296           expression from RESTRICTIVE UPDATE/ALL policy 1
297           AND
298           expression from RESTRICTIVE UPDATE/ALL policy 2
299           AND
300           ...
301           AND
302           (
303             expression from PERMISSIVE UPDATE/ALL policy 1
304             OR
305             expression from PERMISSIVE UPDATE/ALL policy 2
306             OR
307             ...
308           )
309

NOTES

311       You must be the owner of a table to create or change policies for it.
312
313       While policies will be applied for explicit queries against tables in
314       the database, they are not applied when the system is performing
315       internal referential integrity checks or validating constraints. This
316       means there are indirect ways to determine that a given value exists.
317       An example of this is attempting to insert a duplicate value into a
318       column that is a primary key or has a unique constraint. If the insert
319       fails then the user can infer that the value already exists. (This
320       example assumes that the user is permitted by policy to insert records
321       which they are not allowed to see.) Another example is where a user is
322       allowed to insert into a table which references another, otherwise
323       hidden table. Existence can be determined by the user inserting values
324       into the referencing table, where success would indicate that the value
325       exists in the referenced table. These issues can be addressed by
326       carefully crafting policies to prevent users from being able to insert,
327       delete, or update records at all which might possibly indicate a value
328       they are not otherwise able to see, or by using generated values (e.g.,
329       surrogate keys) instead of keys with external meanings.
330
331       Generally, the system will enforce filter conditions imposed using
332       security policies prior to qualifications that appear in user queries,
333       in order to prevent inadvertent exposure of the protected data to
334       user-defined functions which might not be trustworthy. However,
335       functions and operators marked by the system (or the system
336       administrator) as LEAKPROOF may be evaluated before policy expressions,
337       as they are assumed to be trustworthy.
338
339       Since policy expressions are added to the user's query directly, they
340       will be run with the rights of the user running the overall query.
341       Therefore, users who are using a given policy must be able to access
342       any tables or functions referenced in the expression or they will
343       simply receive a permission denied error when attempting to query the
344       table that has row-level security enabled. This does not change how
345       views work, however. As with normal queries and views, permission
346       checks and policies for the tables which are referenced by a view will
347       use the view owner's rights and any policies which apply to the view
348       owner, except if the view is defined using the security_invoker option
349       (see CREATE VIEW).
350
351       No separate policy exists for MERGE. Instead, the policies defined for
352       SELECT, INSERT, UPDATE, and DELETE are applied while executing MERGE,
353       depending on the actions that are performed.
354
355       Additional discussion and practical examples can be found in
356       Section 5.8.
357

COMPATIBILITY

359       CREATE POLICY is a PostgreSQL extension.
360

SEE ALSO

362       ALTER POLICY (ALTER_POLICY(7)), DROP POLICY (DROP_POLICY(7)), ALTER
363       TABLE (ALTER_TABLE(7))
364
365
366
367PostgreSQL 16.1                      2023                     CREATE POLICY(7)
Impressum