Summary
Please add an option for PDP (Row Level Security) to support intersecting (AND-based) evaluation, so that when a user qualifies for multiple PDP policies, access is the least permissive overlap of allowed rows rather than the union.
Problem
Today, additive evaluation means users in multiple groups can unintentionally gain broader visibility through group stacking. In enterprise environments, users accumulate group memberships over time, and those changes are often managed by IAM or HR systems outside of our team. This creates avoidable governance risk and makes access harder to explain and audit.
Why this matters
Without intersection, we are forced to create many combined groups and bespoke policies for every permutation, which does not scale.
Requested capability
Add a PDP evaluation option such as:
- Evaluation mode: Additive (OR) or Intersecting (AND)
- Intersecting mode should apply when a user matches multiple PDP policies for the same dataset.
