The following set of rules is specific to SELECT and DELETE row-level security policy functions.
- For a SELECT or DELETE UDF, the return value indicates whether the session has passed the security policy test. The following table lists the meanings of the return indicator variables for both SMALLINT and BYTE[(n)] types.
This return output … With this return indicator variable value … Indicates that the call … T 0 passed the policy. F 0 did not pass the policy. Vantage ignores the target row for any further action.
- If the constraint data type is either SMALLINT or BYTE(n) and the constraint allows nulls, its parameter style must be SQL. A parameter style of SQL for a row-level security UDF specifies that each input and output parameter for the UDF has a second indicator variable parameter to indicate if the return value is or is not null. In this case the indicator variable parameters are required because they are needed for the input parameters.
The RETURN parameters are as follows.
This return output … With this return indicator variable value … Indicates that the call … any return value -1 is not valid. T 0 passed the policy. F 0 did not pass the policy. Vantage ignores the target row for any further action.
anything other than T or F 0 is not valid. - If the constraint data type is SMALLINT and the constraint does not allow nulls, its parameter style must be TD_GENERAL.
The RETURN parameters for a hierarchical SELECT or DELETE constraint with a parameter style of SQL are as follows.
This return output … Indicates that the call … T passed the policy and continues processing the action. F did not pass the policy and does not continue processing the action. Vantage moves to the next row without reporting an error to the requestor.
If you are logging security access to the table, Vantage does not generate an audit row for the failure.