Access Policies

⚠️ Only available in EdgeDB 2.0 or later.

This section describes the DDL commands pertaining to access policies.

Create access policy

Declare a new object access policy.

  1. [ with with-item [, ...] ]
  2. { create | alter } type TypeName "{"
  3. [ ... ]
  4. create access policy name "{"
  5. [ when (condition) ; ]
  6. { allow | deny } action [, action ... ; ]
  7. [ using (expr) ; ]
  8. [ create annotation annotation-name := value ; ]
  9. "}"
  10. "}"
  11. where action is one of
  12. all
  13. select
  14. insert
  15. delete
  16. update [{ read | write }]

Description

The combination {create | alter} type … create access policy defines a new access policy for a given object type.

Parameters

Most sub-commands and options of this command are identical to the SDL access policy declaration.

name

The name of the access policy.

when (condition)

Specifies which objects this policy applies to. The condition has to be a bool expression.

When omitted, it is assumed that this policy applies to all objects of a given type.

allow

Indicates that qualifying objects should allow access under this policy.

deny

Indicates that qualifying objects should not allow access under this policy. This flavor supersedes any allow policy and can be used to selectively deny access to a subset of objects that otherwise explicitly allows accessing them.

all

Apply the policy to all actions. It is exactly equivalent to listing select, insert, delete, update actions explicitly.

select

Apply the policy to all selection queries. Note that any object that cannot be selected, cannot be modified either. This makes select the most basic “visibility” policy.

insert

Apply the policy to all inserted objects. If a newly inserted object would violate this policy, an error is produced instead.

delete

Apply the policy to all objects about to be deleted. If an object does not allow access under this kind of policy, it is not going to be considered by any delete command.

Note that any object that cannot be selected, cannot be modified either.

update read

Apply the policy to all objects selected for an update. If an object does not allow access under this kind of policy, it is not visible cannot be updated.

Note that any object that cannot be selected, cannot be modified either.

update write

Apply the policy to all objects at the end of an update. If an updated object violates this policy, an error is produced instead.

Note that any object that cannot be selected, cannot be modified either.

update

This is just a shorthand for update read and update write.

Note that any object that cannot be selected, cannot be modified either.

using expr

Specifies what the policy is with respect to a given eligible (based on when clause) object. The expr has to be a bool expression. The specific meaning of this value also depends on whether this policy flavor is allow or deny.

When omitted, it is assumed that this policy applies to all eligible objects of a given type.

The following subcommands are allowed in the create access policy block:

create annotation annotation-name := value

Set access policy annotation annotation-name to value.

See create annotation for details.

Alter access policy

Declare a new object access policy.

  1. [ with with-item [, ...] ]
  2. alter type TypeName "{"
  3. [ ... ]
  4. alter access policy name "{"
  5. [ when (condition) ; ]
  6. [ reset when ; ]
  7. { allow | deny } action [, action ... ; ]
  8. [ using (expr) ; ]
  9. [ reset expression ; ]
  10. [ create annotation annotation-name := value ; ]
  11. [ alter annotation annotation-name := value ; ]
  12. [ drop annotation annotation-name; ]
  13. "}"
  14. "}"
  15. where action is one of
  16. all
  17. select
  18. insert
  19. delete
  20. update [{ read | write }]

Description

The combination {create | alter} type … create access policy defines a new access policy for a given object type.

Parameters

The parameters describing the action policy are identical to the parameters used by create action policy. There are a handful of additional subcommands that are allowed in the create access policy block:

reset when

Clear the when (condition) so that the policy applies to all objects of a given type. This is equivalent to when (true).

reset expression

Clear the using (condition) so that the policy always passes. This is equivalent to using (true).

alter annotation annotation-name;

Alter access policy annotation annotation-name. See alter annotation for details.

drop annotation annotation-name;

Remove access policy annotation annotation-name. See drop annotation for details.

All the subcommands allowed in the create access policy block are also valid subcommands for alter access policy block.

Drop access policy

Remove an access policy from an object type.

  1. [ with with-item [, ...] ]
  2. alter type TypeName "{"
  3. [ ... ]
  4. drop access policy name ;
  5. "}"

Description

The combination alter type … drop access policy removes the specified access policy from a given object type.

See also

Schema > Access policies

SDL > Access policies