Invoices in my use case has been created by different users. I need to allow edit invoices only for their creators, other users can only read them.
I would create
-
a row level security rule on invoice entity with roles set to *, priority 100, denying UPDATE, DELETE and Rule set to Xpath rule that resembles something like:
/row/@RecordCreatedBy!=AS:ActiveProfileId() -
and a security rule on same entity with roles set to *, priority 999, allowing CREATE, WRITE and DELETE and Rule not set (unconditional)
The rule is triggered on every row and if it’s not a logged-user row, than the priority 100 rule matches and update and delete is denied, rule eveluation then stops. Otherwise it continues and matches the 999 rule and all permissions are granted.
@urbanekv I edited your answer and excluded the part which was not that much relevant. And there is a problem with your solution – the first rule allows editing (based on the rule) while the second allows editing, too (everytime). So in the end you end up with edit rights all the time.
So the correct solution will be to negate the XPath rule (!=) and to set Deny in the Row Level Security Rule.
That way first the XPath rule is hit and if another user created the record it will deny access. Otherwise it will hit the second rule and allow editing.
I corrected my original answer.