[9.5] question about row level security

Hello @ll,

how can i define a policy to prevent update a single field but enable
update other fields in a row?

For instance, a staff member table. the boss should be able to change
all fields but not a specific field in all rows, but should be able to
update this field for his own row.

id | name | boss |col1 | col_privat
--------------------------------
 1 | boss | boss |  10 | boss privat
 2 | joe  | boss |  20 | joe privat
 3 | sue  | boss |  30 | sue privat

boss should be able to edit all except col_privat for id=2 and 3,
but he should be able update this column for id=1.
Therefore i can't revoce the update-priv for this column.

create policy enable_boss on <table> for update using
(boss=current_user) with check (???)

Is there a way to access old.* and new.* like within a trigger?
(something like with check(old.col_privat=new.col_privat))



Andreas
--
Really, I'm not out to destroy Microsoft. That will just be a completely
unintentional side effect.                              (Linus Torvalds)
"If I was god, I would recompile penguin with --enable-fly."   (unknown)
Kaufbach, Saxony, Germany, Europe.              N 51.05082°, E 13.56889°