Row level security
Permission graph
Policy matrix
| APAAA | Module | Object / Expression | Affected Role / Classification | Select | Insert | Update | Delete | Policy name |
|---|---|---|---|---|---|---|---|---|
| log | AuditEntry | |||||||
| Anyone | A | anyone__allow_insert | ||||||
ControllerRole.Admin ControllerRole.Auditor | A | admin_auditor__allow_select | ||||||
X | auth | Account | ||||||
global auth::current_account.id equal to .id property | A | A | A | A | owner__allow_all | |||
ControllerRole.Service | A | A | service__allow_select_insert | |||||
X | auth | Profile | ||||||
Account linked to .owner property | A | A | A | owner__allow_select_insert_update | ||||
Account with .enabled property set to true | A | enabled_account__allow_select | ||||||
X | auth | TenantMembership | ||||||
TenantRole.Manager | A | A | A | A | manager__allow_all | |||
((.tenant_role ?= TenantRole.Member) and (.tenant_role ?= TenantRole.Guest)) | TenantRole.Maintainer | A | A | A | maintainer__allow_insert_update_delete_on_members_and_guests | |||
TenantRole.Member TenantRole.Maintainer | A | member_maintainer__allow_select | ||||||
X | auth | TeamMembership | ||||||
TeamRole.Leader TenantRole.Manager TenantRole.Maintainer | A | A | A | A | leader_manager_maintainer__allow_all | |||
(.team_role ?= TeamRole.Analyst) | TeamRole.Moderator | A | A | A | moderator__allow_insert_update_delete_on_analysts | |||
Account in .team.tenant.memberships | A | tenant_membership__allow_select | ||||||
X | ident | Team | ||||||
TeamRole.Leader TenantRole.Manager | A | A | A | A | leader_manager__allow_all | |||
TeamRole.Moderator TenantRole.Maintainer | A | moderator_maintainer__allow_update | ||||||
Account in .tenant.memberships | A | tenant_membership__allow_select | ||||||
X | infra | Tenant | ||||||
TenantRole.Manager | A | A | A | A | manager__allow_all | |||
TenantRole.Maintainer | A | A | maintainer__allow_select_update | |||||
Account in .membership | A | membership__allow_select | ||||||
X | infra | Relay | ||||||
TenantRole.Manager | A | A | A | A | manager__allow_all | |||
TenantRole.Maintainer | A | maintainer__allow_select_update | ||||||
ControllerRole.Service or Account in .tenant.memberships | A | service_tenant_membership_allow_select | ||||||
(.shared == true) | Anyone | A | anyone__allow_select_on_shared | |||||
X | infra | Node | ||||||
TenantRole.Manager TeamRole.Leader | A | A | A | A | manager_leader__allow_all | |||
TenantRole.Maintainer TeamRole.Moderator | A | maintainer_moderator__allow_update | ||||||
ControllerRole.Service or Account in .campaign.team.membership | A | service_team_membership__allow_select | ||||||
X | infra | Domain | ||||||
TenantRole.Manager TeamRole.Leader | A | A | A | A | manager_leader__allow_all | |||
ControllerRole.Service TenantRole.Maintainer | A | service_maintainer__allow_update | ||||||
Account in .campaign.team.memberships | A | team_membership__allow_select | ||||||
X | infra | Route | ||||||
TenantRole.Manager | A | A | A | A | manager__allow_all | |||
ControllerRole.Service | A | A | service__allow_select_update |
Legend
| Keyword | Explanation |
|---|---|
A | Allow |
D | Deny |
Account | Account linked to ID passed as global variable auth::current_account_id within database connection. It can be accessed via global auth::current_account. |
Access policies
Admin Allow All
internal::APAAA
Allows all accounts with ControllerRole.Admin applied to perform ALL kind of operations on a specific dataset.
access policy internal__controller_admin__allow_all
allow all
using (global auth::current_account.controller_role ?= auth::ControllerRole.Admin) {
errmessage := 'Controller role "Admin" required'
}