Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tAmZj-00064U-Fq
	for pgsql-general@arkaria.postgresql.org; Tue, 12 Nov 2024 08:48:39 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tAmZg-004VOJ-TI
	for pgsql-general@arkaria.postgresql.org; Tue, 12 Nov 2024 08:48:37 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1tAmZg-004VOB-Hl
	for pgsql-general@lists.postgresql.org; Tue, 12 Nov 2024 08:48:37 +0000
Received: from mail-ed1-x52a.google.com ([2a00:1450:4864:20::52a])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1tAmZd-001VQI-M0
	for pgsql-general@postgresql.org; Tue, 12 Nov 2024 08:48:36 +0000
Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-5c937b5169cso1759540a12.1
        for <pgsql-general@postgresql.org>; Tue, 12 Nov 2024 00:48:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cybertec.at; s=cybertec.at; t=1731401313; x=1732006113; darn=postgresql.org;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date
         :message-id:reply-to;
        bh=td7Q9ibTsvdhj6YfoaYPy8L8K+cAJ8/Tcf0w8C2Af40=;
        b=jXA/MUKuBNp//cyiaAZ5XcbG6HdR4YP2rocyupJCozxIaTfQy6movxC6T9N9pmns3g
         diJvbsEuNaZOnJWvhYOJBaVrhKxE91vGVX3f8+KtYLGMqtv2rSeVcYAoh01oLeYPjq1d
         7VHboP1IZYXM/5VTXxozGjr/Gu+HQTPcPoEUk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1731401313; x=1732006113;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=td7Q9ibTsvdhj6YfoaYPy8L8K+cAJ8/Tcf0w8C2Af40=;
        b=olNOa2kZOCV9UaSe3tTpIYe5JyVF0C8b3bxuWGGjjVg+Vdz+CrRTMMQMHDDp8bksds
         X/bKbH4qp7w5GbTspBJMVMa70E3JHyPd+mbI5IU1FqNLvjbW3erE2Jocy5+jq6+845ow
         B+JYRIihmwxxctUmx0YXlkqk4i7XimqkcvR6HVKwvmoaTMmEDY1aj4Dt5gyXnAy00op8
         alqfUmziiNCJLlnA+2v2V8mEo3ql2YS7zMDMBtIdYRMcBQ7IBMHUe8OsFB8/qkiobVUY
         rZqOR/8M+OQvse6ljd/cMrpbywYFwT9ijPX2hhPztTWGK34vlzx8ZwocyfEqGyHPPsXC
         vuvg==
X-Forwarded-Encrypted: i=1; AJvYcCUbKbntMxhEUIMRS8sK3AzvdajbF65eKLn0kDFfW/xbQFIy7Aji4a5a3dQK6dNs8lnZcEaJJyUBzeE/UlHQ@postgresql.org
X-Gm-Message-State: AOJu0YxNzDKXaSac3A25iH8xtmxC6zOC2sslmxNSD60yY5sOvCdBvVw1
	qabblH9kcHrrw37DyuS1TKTo4/qtOf725qXnagjsmuUe7t7lo8lsIhyH5/UsILw=
X-Google-Smtp-Source: AGHT+IHlrtJ+xQhUK63IF7sVKsPla10DvwayX7j3KxjZPtIgkgi4Cgyr9fZRQL8rS66QOOFsJ/yY3g==
X-Received: by 2002:a05:6402:13c3:b0:5ce:dc71:5928 with SMTP id 4fb4d7f45d1cf-5cf0973658fmr13863087a12.12.1731401312702;
        Tue, 12 Nov 2024 00:48:32 -0800 (PST)
Received: from localhost.localdomain ([88.116.133.170])
        by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5cf3d301d96sm2064215a12.39.2024.11.12.00.48.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 12 Nov 2024 00:48:32 -0800 (PST)
Message-ID: <e281aa4941402a4b63f570ddf58f81721432f58e.camel@cybertec.at>
Subject: Re: create policy statement USING clause
From: Laurenz Albe <laurenz.albe@cybertec.at>
To: Mark Phillips <mphillips@mophilly.com>, pgsql-general@postgresql.org
Date: Tue, 12 Nov 2024 09:48:31 +0100
In-Reply-To: <054FBFBF-C87C-4C3C-B6F5-D5C09E6A7F1A@mophilly.com>
References: <054FBFBF-C87C-4C3C-B6F5-D5C09E6A7F1A@mophilly.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.52.4 (3.52.4-2.fc40) 
MIME-Version: 1.0
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/e281aa4941402a4b63f570ddf58f81721432f58e.camel%40cybertec.at>
Precedence: bulk

On Mon, 2024-11-11 at 15:10 -0800, Mark Phillips wrote:
> PostgreSQL 12

Upgrade now!

> Given a table =E2=80=9Ccustomer=E2=80=9D with a column =E2=80=9Cdeadfiled=
=E2=80=9D of the type boolean. The column
> deadfiled is used to indicate that a row is =E2=80=9Cin the trash bin=E2=
=80=9D. The app has a window
> that lists the contents of the =E2=80=9Ctrash bin=E2=80=9D, which any row=
s with deadfiled =3D true.
> Row so marked should be excluded from views and queries in all other case=
s when the
> current user has the role =E2=80=9Capp_user".
>=20
> I thought I could use row level security (RLS) to filter out all the dead=
filed rows.=20
>=20
> ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
> CREATE POLICY filter_customer_deadfiled
> 	ON public.customer
> 	FOR SELECT
> 	TO app_staff
> 	USING ( NOT deadfiled );
>=20
> However, that did not work as desired. I have read through a dozen articl=
es and posts
> online but haven=E2=80=99t figured out the USING clause. To my surprise, =
this worked:
> CREATE POLICY customer_deadfiled
> ON public.customer
> AS PERMISSIVE
> FOR SELECT
> TO prm_staff
> USING (coalesce(deadfiled,false)=3Dfalse);
>=20
> So my question is specifically about the USING clause, but also more broa=
dly about
> this attempted application of RLS.

It seems that your problem is that "deadfiled" is NULL in some rows, any yo=
u want
such rows to be considered live.

Since NOT NULL is not TRUE, you'd have to use a USING clause like

  USING (deadfiled IS NOT TRUE)

Yours,
Laurenz Albe