Struct Policy 

pub struct Policy {
    pub name: Ident,
    pub table: Ident,
    pub policy_type: PolicyType,
    pub commands: Vec<PolicyCommand>,
    pub roles: Vec<SmolStr>,
    pub using_expr: Option<String>,
    pub check_expr: Option<String>,
    pub mssql_schema: Option<SmolStr>,
    pub mssql_block_operations: Vec<MssqlBlockOperation>,
    pub documentation: Option<Documentation>,
    pub span: Span,
}

A Row-Level Security (RLS) policy definition.

Policies provide fine-grained access control at the row level. They are applied to tables and evaluated for each row operation.

Example Schema Syntax

policy UserReadOwnData on User {
    for     SELECT
    to      authenticated
    using   "id = current_user_id()"
}

policy UserModifyOwnData on User {
    for     [INSERT, UPDATE, DELETE]
    to      authenticated
    using   "id = current_user_id()"
    check   "id = current_user_id()"
}

Database Support

• PostgreSQL: Full support via CREATE POLICY
• SQL Server: Supported via Security Policies with predicate functions

Fields

name: Ident

Policy name (must be unique per table).

table: Ident

The model/table this policy applies to.

policy_type: PolicyType

Policy type: PERMISSIVE (default) or RESTRICTIVE.

commands: Vec<PolicyCommand>

Commands this policy applies to (SELECT, INSERT, UPDATE, DELETE, or ALL).

roles: Vec<SmolStr>

Roles this policy applies to (default: PUBLIC).

using_expr: Option<String>

USING expression - evaluated for existing rows (SELECT, UPDATE, DELETE). Should return boolean. Row is visible if expression returns true. In MSSQL, this becomes the FILTER PREDICATE.

check_expr: Option<String>

WITH CHECK expression - evaluated for new rows (INSERT, UPDATE). Should return boolean. Row can be inserted/updated if expression returns true. In MSSQL, this becomes BLOCK PREDICATE(s).

mssql_schema: Option<SmolStr>

MSSQL-specific: Schema for the predicate function (default: “Security”).

mssql_block_operations: Vec<MssqlBlockOperation>

MSSQL-specific: Block operations to apply (default: all applicable).

documentation: Option<Documentation>

Documentation comment.

span: Span

Source location.

Implementations

impl Policy

pub fn new(name: Ident, table: Ident, span: Span) -> Policy

Create a new policy.

pub fn name(&self) -> &str

Get the policy name as a string.

pub fn table(&self) -> &str

Get the table name as a string.

pub fn with_type(self, policy_type: PolicyType) -> Policy

Set the policy type.

pub fn with_commands(self, commands: Vec<PolicyCommand>) -> Policy

Set the commands this policy applies to.

pub fn add_command(&mut self, command: PolicyCommand)

Add a command this policy applies to.

pub fn with_roles(self, roles: Vec<SmolStr>) -> Policy

Set the roles this policy applies to.

pub fn add_role(&mut self, role: impl Into<SmolStr>)

Add a role this policy applies to.

pub fn with_using(self, expr: impl Into<String>) -> Policy

Set the USING expression.

pub fn with_check(self, expr: impl Into<String>) -> Policy

Set the WITH CHECK expression.

pub fn with_documentation(self, doc: Documentation) -> Policy

Set documentation.

pub fn with_mssql_schema(self, schema: impl Into<SmolStr>) -> Policy

Set the MSSQL schema for the predicate function.

pub fn with_mssql_block_operations( self, operations: Vec<MssqlBlockOperation>, ) -> Policy

Set the MSSQL block operations.

pub fn add_mssql_block_operation(&mut self, operation: MssqlBlockOperation)

Add an MSSQL block operation.

pub fn applies_to(&self, command: PolicyCommand) -> bool

Check if this policy applies to a specific command.

pub fn is_restrictive(&self) -> bool

Check if this policy is restrictive.

pub fn is_permissive(&self) -> bool

Check if this policy is permissive.

pub fn effective_roles(&self) -> Vec<&str>

Get the effective roles (PUBLIC if none specified).

pub fn mssql_schema(&self) -> &str

Get the MSSQL schema (default: “Security”).

pub fn mssql_predicate_function_name(&self) -> String

Get the predicate function name for MSSQL.

pub fn to_sql(&self, table_name: &str) -> String

Generate the PostgreSQL CREATE POLICY statement.

pub fn to_postgres_sql(&self, table_name: &str) -> String

Generate the PostgreSQL CREATE POLICY statement.

pub fn to_mssql_sql( &self, table_name: &str, predicate_column: &str, ) -> MssqlPolicyStatements

Generate SQL Server (MSSQL) security policy statements.

Returns a tuple of:

1. CREATE FUNCTION statement for the predicate function
2. CREATE SECURITY POLICY statement

Arguments

• table_name - The fully qualified table name (e.g., “dbo.Users”)
• predicate_column - The column name to use in the predicate (e.g., “UserId”)

Example

let (func_sql, policy_sql) = policy.to_mssql_sql("dbo.Users", "UserId");

Trait Implementations

impl Clone for Policy

fn clone(&self) -> Policy

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Policy

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for Policy

fn deserialize<__D>( __deserializer: __D, ) -> Result<Policy, <__D as Deserializer<'de>>::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl PartialEq for Policy

fn eq(&self, other: &Policy) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for Policy

fn serialize<__S>( &self, __serializer: __S, ) -> Result<<__S as Serializer>::Ok, <__S as Serializer>::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl StructuralPartialEq for Policy