EdgeDB Developer Day | Nov 1st | Register now
Search
Ask AI
Developer Day
Light
Dark
System
v3latest
v3latest
v2
v1

Access Policies

This section describes the DDL commands pertaining to access policies.

Create access policy

Declare a new object access policy.

[ with with-item [, ...] ]
{ create | alter } type TypeName "{"
  [ ... ]
  create access policy name
    [ when (condition) ; ]
    { allow | deny } action [, action ... ; ]
    [ using (expr) ; ]
    [ create annotation annotation-name := value ; ]
    [ "{"
       [ set errmessage := value ; ]
      "}" ; ]
"}"

where action is one of
all
select
insert
delete
update [{ read | write }]

Description

The combination {create | alter} type ... create access policy defines a new access policy for a given object type.

Parameters

Most sub-commands and options of this command are identical to the SDL access policy declaration.

name

The name of the access policy.

when (condition)

Specifies which objects this policy applies to. The condition has to be a bool expression.

When omitted, it is assumed that this policy applies to all objects of a given type.

allow

Indicates that qualifying objects should allow access under this policy.

deny

Indicates that qualifying objects should not allow access under this policy. This flavor supersedes any allow policy and can be used to selectively deny access to a subset of objects that otherwise explicitly allows accessing them.

all

Apply the policy to all actions. It is exactly equivalent to listing select, insert, delete, update actions explicitly.

select

Apply the policy to all selection queries. Note that any object that cannot be selected, cannot be modified either. This makes select the most basic “visibility” policy.

insert

Apply the policy to all inserted objects. If a newly inserted object would violate this policy, an error is produced instead.

delete

Apply the policy to all objects about to be deleted. If an object does not allow access under this kind of policy, it is not going to be considered by any delete command.

Note that any object that cannot be selected, cannot be modified either.

update read

Apply the policy to all objects selected for an update. If an object does not allow access under this kind of policy, it is not visible cannot be updated.

Note that any object that cannot be selected, cannot be modified either.

update write

Apply the policy to all objects at the end of an update. If an updated object violates this policy, an error is produced instead.

Note that any object that cannot be selected, cannot be modified either.

update

This is just a shorthand for update read and update write.

Note that any object that cannot be selected, cannot be modified either.

using expr

Specifies what the policy is with respect to a given eligible (based on when clause) object. The expr has to be a bool expression. The specific meaning of this value also depends on whether this policy flavor is allow or deny.

When omitted, it is assumed that this policy applies to all eligible objects of a given type.

The following subcommands are allowed in the create access policy block:

New
set errmessage := value

Set a custom error message of value that is displayed when this access policy prevents a write action.

create annotation annotation-name := value

Set access policy annotation annotation-name to value.

See create annotation for details.

Alter access policy

Declare a new object access policy.

[ with with-item [, ...] ]
alter type TypeName "{"
  [ ... ]
  alter access policy name "{"
    [ when (condition) ; ]
    [ reset when ; ]
    { allow | deny } action [, action ... ; ]
    [ using (expr) ; ]
    [ set errmessage := value ; ]
    [ reset expression ; ]
    [ create annotation annotation-name := value ; ]
    [ alter annotation annotation-name := value ; ]
    [ drop annotation annotation-name; ]
  "}"
"}"

where action is one of
all
select
insert
delete
update [{ read | write }]

Description

The combination {create | alter} type ... create access policy defines a new access policy for a given object type.

Parameters

The parameters describing the action policy are identical to the parameters used by create action policy. There are a handful of additional subcommands that are allowed in the create access policy block:

reset when

Clear the when (condition) so that the policy applies to all objects of a given type. This is equivalent to when (true).

reset expression

Clear the using (condition) so that the policy always passes. This is equivalent to using (true).

alter annotation annotation-name;

Alter access policy annotation annotation-name. See alter annotation for details.

drop annotation annotation-name;

Remove access policy annotation annotation-name. See drop annotation for details.

All the subcommands allowed in the create access policy block are also valid subcommands for alter access policy block.

Drop access policy

Remove an access policy from an object type.

[ with with-item [, ...] ]
alter type TypeName "{"
  [ ... ]
  drop access policy name ;
"}"

Description

The combination alter type ... drop access policy removes the specified access policy from a given object type.

DDLGlobals
DDLFunctions
Light
Dark
System
Product
HomeInstallCloud Status
Resources
QuickstartDocumentationTutorialEasy EdgeDBCommunity
Company
AboutCareersPress KitTerms of UsePrivacy PolicyCloud Terms and Conditions
Newsletter
Subscribe to our mailing list to be the first to know about new blog posts and announcements.
RSS

© 2022, EdgeDB Inc.

We use ChatGPT with additional context from our documentation to answer your questions. Not all answers will be accurate. Please join our Discord if you need more help.