[9.5] question about row level security

Hello @ll,

how can i define a policy to prevent update a single field but enable
update other fields in a row?

For instance, a staff member table. the boss should be able to change
all fields but not a specific field in all rows, but should be able to
update this field for his own row.

id | name | boss |col1 | col_privat
--------------------------------
1 | boss | boss | 10 | boss privat
2 | joe | boss | 20 | joe privat
3 | sue | boss | 30 | sue privat

boss should be able to edit all except col_privat for id=2 and 3,
but he should be able update this column for id=1.
Therefore i can't revoce the update-priv for this column.

create policy enable_boss on <table> for update using
(boss=current_user) with check (???)

Is there a way to access old.* and new.* like within a trigger?
(something like with check(old.col_privat=new.col_privat))

Andreas
--
Really, I'm not out to destroy Microsoft. That will just be a completely
unintentional side effect. (Linus Torvalds)
"If I was god, I would recompile penguin with --enable-fly." (unknown)
Kaufbach, Saxony, Germany, Europe. N 51.05082°, E 13.56889°