Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tB9RV-0029sy-Bk
	for pgsql-general@arkaria.postgresql.org; Wed, 13 Nov 2024 09:13:40 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tB9RS-00Ccv1-FF
	for pgsql-general@arkaria.postgresql.org; Wed, 13 Nov 2024 09:13:39 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <mphillips@mophilly.com>)
	id 1tAw2F-008ldh-5E
	for pgsql-general@lists.postgresql.org; Tue, 12 Nov 2024 18:54:43 +0000
Received: from smtp.narocalifornia.org ([206.214.166.96] helo=mophilly.com)
	by magus.postgresql.org with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <mphillips@mophilly.com>)
	id 1tAw27-001aFB-Sq
	for pgsql-general@postgresql.org; Tue, 12 Nov 2024 18:54:43 +0000
Received: (qmail 26799 invoked by uid 453); 12 Nov 2024 18:54:32 -0000
X-Virus-Checked: by ClamAV 0.103.11 on mophilly.com
X-Virus-Found: No
Authentication-Results: mophilly.com; auth=pass (plain) smtp.auth=mphillips
Received: from wsip-98-173-51-151.sd.sd.cox.net (HELO smtpclient.apple) (98.173.51.151)
 by mophilly.com (qpsmtpd/0.96) with ESMTPSA (ECDHE-RSA-AES256-GCM-SHA384 encrypted); Tue, 12 Nov 2024 10:54:32 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mophilly.com; h=content-type:mime-version:subject:from:in-reply-to:date:cc:content-transfer-encoding:message-id:references:to; s=default; bh=yWW0OZGoVYG8FvhhBrTKf5ULXld9Xi0M1cMF+gvRVNo=; b=Cty6S1HXwZloSlAXiuyW8NHBC1NHnu1O11EmGNKoOyx2Mt6wBWotrgdCOYT/DKAMYTLz6QGVd1QBPcxEa9JC5BKQoXc+3mORap67ryprbXo9R7xDtnyaqxHnRZDUI4/BxqIbZtPlsgtudycU5tlOn+i7vT2g4XNyLm0oE9EdikRSqbbVw0DVaZ1Wi2RB7fjFg9UmyjYbgsEVpegrV0agZmXonlal8YFIOPIudnN1ZFZ0bahhoo6aBd1cwfGM4vDYe3reQyY9KlNfVpOIMbgaG3FbUPAKPYpPie5LA6LRjG3or+g998w56v7JgX5Uxu7EnQD8L75YM0oVen5PDXzWYQ==
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.200.121\))
Subject: Re: create policy statement USING clause
From: Mark Phillips <mphillips@mophilly.com>
In-Reply-To: <e281aa4941402a4b63f570ddf58f81721432f58e.camel@cybertec.at>
Date: Tue, 12 Nov 2024 10:54:21 -0800
Cc: pgsql-general@postgresql.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <45E37776-2020-4FD2-BEB4-E02477B630EC@mophilly.com>
References: <054FBFBF-C87C-4C3C-B6F5-D5C09E6A7F1A@mophilly.com>
 <e281aa4941402a4b63f570ddf58f81721432f58e.camel@cybertec.at>
To: Laurenz Albe <laurenz.albe@cybertec.at>
X-Mailer: Apple Mail (2.3826.200.121)
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/45E37776-2020-4FD2-BEB4-E02477B630EC%40mophilly.com>
Precedence: bulk

Thank you for the reply. I appreciate it very much.

I checked the data for null in the column values, but I didn't any. I =
started over from the beginning with a fresh clone of the database, and =
followed the set up in ordered fashion, including a little routine to =
assure valid data in the column, and it now works fine. The better form =
of the USING clause certainly helped. I am happy to share my notes if =
someone would like to see them.

As for pg 12, an update to the current stable release is on the project =
roadmap.

Cheers,

 - Mark

> On Nov 12, 2024, at 12:48=E2=80=AFAM, Laurenz Albe =
<laurenz.albe@cybertec.at> wrote:
>=20
> On Mon, 2024-11-11 at 15:10 -0800, Mark Phillips wrote:
>> PostgreSQL 12
>=20
> Upgrade now!
>=20
>> Given a table =E2=80=9Ccustomer=E2=80=9D with a column =
=E2=80=9Cdeadfiled=E2=80=9D of the type boolean. The column
>> deadfiled is used to indicate that a row is =E2=80=9Cin the trash =
bin=E2=80=9D. The app has a window
>> that lists the contents of the =E2=80=9Ctrash bin=E2=80=9D, which any =
rows with deadfiled =3D true.
>> Row so marked should be excluded from views and queries in all other =
cases when the
>> current user has the role =E2=80=9Capp_user".
>>=20
>> I thought I could use row level security (RLS) to filter out all the =
deadfiled rows.=20
>>=20
>> ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
>> CREATE POLICY filter_customer_deadfiled
>> 	ON public.customer
>> 	FOR SELECT
>> 	TO app_staff
>> 	USING ( NOT deadfiled );
>>=20
>> However, that did not work as desired. I have read through a dozen =
articles and posts
>> online but haven=E2=80=99t figured out the USING clause. To my =
surprise, this worked:
>> CREATE POLICY customer_deadfiled
>> ON public.customer
>> AS PERMISSIVE
>> FOR SELECT
>> TO prm_staff
>> USING (coalesce(deadfiled,false)=3Dfalse);
>>=20
>> So my question is specifically about the USING clause, but also more =
broadly about
>> this attempted application of RLS.
>=20
> It seems that your problem is that "deadfiled" is NULL in some rows, =
any you want
> such rows to be considered live.
>=20
> Since NOT NULL is not TRUE, you'd have to use a USING clause like
>=20
>  USING (deadfiled IS NOT TRUE)
>=20
> Yours,
> Laurenz Albe