Each record specifies
- a connection type
- a client IP address range (if relevant for the connection type)
- a database name or names
- and the authentication method
to be used for connections matching these parameters. The first record that matches the type, client address, and requested database name of a connection attempt is used to do the authentication step. There is no "fall-through" or "backup": if one record is chosen and the authentication fails, the following records are not considered. If no record matches, the access will be denied.