doc/user/content/sql/alter-network-policy.md
Available for Materialize Cloud only
ALTER NETWORK POLICY alters an existing network policy. Network policies are
part of Materialize's framework for access control.
Changes to a network policy will only affect new connections and will not terminate active connections.
{{% include-syntax file="examples/alter_network_policy" example="syntax" %}}
When you enable a Materialize region, a default network policy named default
will be pre-installed. This policy has a wide open ingress rule allow 0.0.0.0/0. You can modify or drop this network policy at any time.
{{< note >}}
The default value for the network_policy session parameter is default.
Before dropping the default network policy, a superuser (i.e. Organization Admin) must run ALTER SYSTEM SET network_policy to
change the default value.
{{< /note >}}
To prevent lockout, the IP of the active user is validated against the policy changes requested. This prevents users from modifying network policies in a way that could lock them out of the system.
The privileges required to execute this statement are:
{{% include-headless "/headless/sql-command-privileges/alter-network-policy" %}}
CREATE NETWORK POLICY office_access_policy (
RULES (
new_york (action='allow', direction='ingress',address='1.2.3.4/28'),
minnesota (action='allow',direction='ingress',address='2.3.4.5/32')
)
);
ALTER NETWORK POLICY office_access_policy SET (
RULES (
new_york (action='allow', direction='ingress',address='1.2.3.4/28'),
minnesota (action='allow',direction='ingress',address='2.3.4.5/32'),
boston (action='allow',direction='ingress',address='4.5.6.7/32')
)
);
ALTER SYSTEM SET network_policy = office_access_policy;