This section describes the DDL commands pertaining to access policies.
Declare a new object access policy.
[ with with-item [, ...] ]
{ create | alter } type TypeName "{"
[ ... ]
create access policy name
[ when (condition) ; ]
{ allow | deny } action [, action ... ; ]
[ using (expr) ; ]
[ create annotation annotation-name := value ; ]
[ "{"
[ set errmessage := value ; ]
"}" ; ]
"}"
where action is one of
all
select
insert
delete
update [{ read | write }]
The combination {create | alter} type ... create access policy defines a new access policy for a given object type.
Most sub-commands and options of this command are identical to the SDL access policy declaration.
The name of the access policy.
Specifies which objects this policy applies to. The
condition has to be a bool
expression.
When omitted, it is assumed that this policy applies to all objects of a given type.
Indicates that qualifying objects should allow access under this policy.
Indicates that qualifying objects should not allow access under this policy. This flavor supersedes any allow policy and can be used to selectively deny access to a subset of objects that otherwise explicitly allows accessing them.
Apply the policy to all actions. It is exactly equivalent to listing select, insert, delete, update actions explicitly.
Apply the policy to all selection queries. Note that any object that cannot be selected, cannot be modified either. This makes select the most basic “visibility” policy.
Apply the policy to all inserted objects. If a newly inserted object would violate this policy, an error is produced instead.
Apply the policy to all objects about to be deleted. If an object does not
allow access under this kind of policy, it is not going to be considered
by any delete
command.
Note that any object that cannot be selected, cannot be modified either.
Apply the policy to all objects selected for an update. If an object does not allow access under this kind of policy, it is not visible cannot be updated.
Note that any object that cannot be selected, cannot be modified either.
Apply the policy to all objects at the end of an update. If an updated object violates this policy, an error is produced instead.
Note that any object that cannot be selected, cannot be modified either.
This is just a shorthand for update read and update write.
Note that any object that cannot be selected, cannot be modified either.
Specifies what the policy is with respect to a given eligible (based on
when clause) object. The expr has to be
a bool
expression. The specific meaning of this value also
depends on whether this policy flavor is allow or
deny.
When omitted, it is assumed that this policy applies to all eligible objects of a given type.
The following subcommands are allowed in the create access policy
block:
Set a custom error message of value that is displayed when this access policy prevents a write action.
Set access policy annotation annotation-name to value.
See create annotation
for details.
Declare a new object access policy.
[ with with-item [, ...] ]
alter type TypeName "{"
[ ... ]
alter access policy name "{"
[ when (condition) ; ]
[ reset when ; ]
{ allow | deny } action [, action ... ; ]
[ using (expr) ; ]
[ set errmessage := value ; ]
[ reset expression ; ]
[ create annotation annotation-name := value ; ]
[ alter annotation annotation-name := value ; ]
[ drop annotation annotation-name; ]
"}"
"}"
where action is one of
all
select
insert
delete
update [{ read | write }]
The combination {create | alter} type ... create access policy defines a new access policy for a given object type.
The parameters describing the action policy are identical to the parameters
used by create action policy
. There are a handful of additional
subcommands that are allowed in the create access policy
block:
Clear the when (condition) so that the policy applies to
all objects of a given type. This is equivalent to when (true)
.
Clear the using (condition) so that the policy always
passes. This is equivalent to using (true)
.
Alter access policy annotation annotation-name.
See alter annotation
for details.
Remove access policy annotation annotation-name.
See drop annotation
for details.
All the subcommands allowed in the create access policy
block are also
valid subcommands for alter access policy
block.
Remove an access policy from an object type.
[ with with-item [, ...] ]
alter type TypeName "{"
[ ... ]
drop access policy name ;
"}"
The combination alter type ... drop access policy removes the specified access policy from a given object type.