The grant statements in this example enforce a policy that restricts employees from viewing any salaries but their own, allows managers to view their group members’ salaries, and restricts salary updates to the HR department during any month except December:
grant select on employee as e (esalary) where e.ename = USER or USER in (select username(mgrid) from depts d where d.deid = e.eid) to public grant update on employee (esalary) where datepart(month, current_date()) <> 12 to hr_role
