ksql(3) has support for RBAC on an SQL-statement level.

Roles are assigned as a transition matrix defining which roles may transition into other roles. This captures all role topologies (the usual way is hierarchical).

Statements (access) are pre-defined parameterised SQL statements. Statements are assigned possible roles.

Control is enforced by privilege-separation and pledge(2), where the database engine runs in another process and both processes are pledged such that the database is protected.