@@ -72,7 +72,10 @@ CREATE POLICY <replaceable class="parameter">name</replaceable> ON <replaceable
7272 <para>
7373 Policies can be applied for specific commands or for specific roles. The
7474 default for newly created policies is that they apply for all commands and
75- roles, unless otherwise specified.
75+ roles, unless otherwise specified. Multiple policies may apply to a single
76+ command; see below for more details.
77+ <xref linkend="sql-createpolicy-summary"> summarizes how the different types
78+ of policy apply to specific commands.
7679 </para>
7780
7881 <para>
@@ -353,6 +356,105 @@ CREATE POLICY <replaceable class="parameter">name</replaceable> ON <replaceable
353356 </varlistentry>
354357
355358 </variablelist>
359+
360+ <table id="sql-createpolicy-summary">
361+ <title>Policies Applied by Command Type</title>
362+ <tgroup cols="6">
363+ <colspec colnum="4" colname="update-using">
364+ <colspec colnum="5" colname="update-check">
365+ <spanspec namest="update-using" nameend="update-check" spanname="update">
366+ <thead>
367+ <row>
368+ <entry morerows="1">Command</entry>
369+ <entry><literal>SELECT/ALL policy</literal></entry>
370+ <entry><literal>INSERT/ALL policy</literal></entry>
371+ <entry spanname="update"><literal>UPDATE/ALL policy</literal></entry>
372+ <entry><literal>DELETE/ALL policy</literal></entry>
373+ </row>
374+ <row>
375+ <entry><literal>USING expression</literal></entry>
376+ <entry><literal>WITH CHECK expression</literal></entry>
377+ <entry><literal>USING expression</literal></entry>
378+ <entry><literal>WITH CHECK expression</literal></entry>
379+ <entry><literal>USING expression</literal></entry>
380+ </row>
381+ </thead>
382+ <tbody>
383+ <row>
384+ <entry><command>SELECT</command></entry>
385+ <entry>Existing row</entry>
386+ <entry>—</entry>
387+ <entry>—</entry>
388+ <entry>—</entry>
389+ <entry>—</entry>
390+ </row>
391+ <row>
392+ <entry><command>SELECT FOR UPDATE/SHARE</command></entry>
393+ <entry>Existing row</entry>
394+ <entry>—</entry>
395+ <entry>Existing row</entry>
396+ <entry>—</entry>
397+ <entry>—</entry>
398+ </row>
399+ <row>
400+ <entry><command>INSERT</command></entry>
401+ <entry>—</entry>
402+ <entry>New row</entry>
403+ <entry>—</entry>
404+ <entry>—</entry>
405+ <entry>—</entry>
406+ </row>
407+ <row>
408+ <entry><command>INSERT ... RETURNING</command></entry>
409+ <entry>
410+ New row
411+ <footnote id="rls-select-priv">
412+ <para>
413+ If read access is required to the existing or new row (for example,
414+ a <literal>WHERE</literal> or <literal>RETURNING</literal> clause
415+ that refers to columns from the relation).
416+ </para>
417+ </footnote>
418+ </entry>
419+ <entry>New row</entry>
420+ <entry>—</entry>
421+ <entry>—</entry>
422+ <entry>—</entry>
423+ </row>
424+ <row>
425+ <entry><command>UPDATE</command></entry>
426+ <entry>
427+ Existing & new rows
428+ <footnoteref linkend="rls-select-priv">
429+ </entry>
430+ <entry>—</entry>
431+ <entry>Existing row</entry>
432+ <entry>New row</entry>
433+ <entry>—</entry>
434+ </row>
435+ <row>
436+ <entry><command>DELETE</command></entry>
437+ <entry>
438+ Existing row
439+ <footnoteref linkend="rls-select-priv">
440+ </entry>
441+ <entry>—</entry>
442+ <entry>—</entry>
443+ <entry>—</entry>
444+ <entry>Existing row</entry>
445+ </row>
446+ <row>
447+ <entry><command>ON CONFLICT DO UPDATE</command></entry>
448+ <entry>Existing & new rows</entry>
449+ <entry>—</entry>
450+ <entry>Existing row</entry>
451+ <entry>New row</entry>
452+ <entry>—</entry>
453+ </row>
454+ </tbody>
455+ </tgroup>
456+ </table>
457+
356458 </refsect2>
357459
358460 <refsect2>
0 commit comments