From 39f2594ba54657f3fa8d0fe230447e673bcba2a4 Mon Sep 17 00:00:00 2001 From: Robert Haas Date: Wed, 7 Jan 2015 14:49:59 -0500 Subject: [PATCH] docs: Reword CREATE POLICY documentation. --- doc/src/sgml/ref/create_policy.sgml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/doc/src/sgml/ref/create_policy.sgml b/doc/src/sgml/ref/create_policy.sgml index 4c8c001931..8ef8556b51 100644 --- a/doc/src/sgml/ref/create_policy.sgml +++ b/doc/src/sgml/ref/create_policy.sgml @@ -39,16 +39,18 @@ CREATE POLICY name ON - A policy is an expression which is added to the security-barrier - qualifications of queries which are run against the table the policy is on, - or an expression which is added to the with-check options for a table and - which is applied to rows which would be added to the table. - The security-barrier qualifications will always be evaluated prior to any - user-defined functions or user-provided WHERE clauses, while the with-check - expression will be evaluated against the rows which are going to be added to - the table. By adding policies to a table, a user can limit the rows which a - given user can select, insert, update, or delete. This capability is also - known as Row Level Security or RLS. + A policy limits the ability to SELECT, INSERT, UPDATE, or DELETE rows + in a table to those rows which match the relevant policy expression. + Existing table rows are checked against the expression specified via + USING, while new rows that would be created via INSERT or UPDATE are + checked against the expression specified via WITH CHECK. Generally, + the system will enforce filter conditions imposed using security + policies prior to qualifications that appear in the query itself, in + order to the prevent the inadvertent exposure of the protected data to + user-defined functions which might not be trustworthy. However, + functions and operators marked by the system (or the system + administrator) as LEAKPROOF may be evaluated before policy + expressions, as they are assumed to be trustworthy.