CREATE ROW ACCESS POLICY
Creates a new row access policy in TiDB Cloud Lake. A row access policy defines a Boolean predicate that TiDB Cloud Lake applies to rows when the policy is attached to a table.
Syntax
CREATE ROW ACCESS POLICY [ IF NOT EXISTS ] <policy_name> AS
( <arg_name> <arg_type> [ , <arg_name> <arg_type> ... ] )
RETURNS BOOLEAN -> <predicate_expression>
[ COMMENT = '<comment>' ]
Access Control Requirements
TiDB Cloud Lake automatically grants OWNERSHIP on the new row access policy to the current role so that it can manage the policy with others.
Examples
This example creates a policy that only exposes rows from the Engineering department, unless the current role is admin.
SET enable_experimental_row_access_policy = 1;
CREATE TABLE employees (
id INT,
name STRING,
department STRING
);
INSERT INTO employees VALUES
(1, 'Alice', 'Engineering'),
(2, 'Bob', 'Sales'),
(3, 'Charlie', 'Engineering');
CREATE ROW ACCESS POLICY rap_engineering
AS (dept STRING)
RETURNS BOOLEAN ->
CASE
WHEN current_role() = 'admin' THEN true
WHEN dept = 'Engineering' THEN true
ELSE false
END
COMMENT = 'show engineering rows';
ALTER TABLE employees
ADD ROW ACCESS POLICY rap_engineering ON (department);
SELECT id, name, department FROM employees ORDER BY id;
┌────┬─────────┬─────────────┐
│ id │ name │ department │
├────┼─────────┼─────────────┤
│ 1 │ Alice │ Engineering │
│ 3 │ Charlie │ Engineering │
└────┴─────────┴─────────────┘
The ON (department) clause maps the table column department to the policy argument dept.