- Table restrictions — restrict whole tables to a chosen set of users.
- Row level security (RLS) — control which rows a user sees within a table.
Table Restrictions
A table restriction limits who can query a table. Unrestricted tables are open to everyone in the organization; once a table is restricted, only the users you select can query it — everyone else loses access. To restrict a table, open Access Rules and click Add Table Restriction, then pick the table and select the allowed users. To change who can access a restricted table, open it from the restricted tables list — changes save automatically. Removing a restriction reopens the table to the whole organization. Restricted tables show a lock badge next to their name in the editor’s schema list.Example
Anemployee_salaries table holds compensation data that should only be visible to the CEO, the CFO, and the finance team.
- Open Access Rules and click Add Table Restriction.
- Pick the
employee_salariestable. - Select the allowed users:
ceo@example.com,cfo@example.com, and each member of the finance team.
employee_salaries no longer return data for them, and reports built on it show them an error instead of results. New members added after the restriction don’t have access to the table until you add them to its allowed users.
Row Level Security
Row level security is available on the Enterprise plan.
RLS rules apply per user, through user variables — they can’t be assigned to Groups.
- A rule — specifies which tables are affected, which column determines access, and which user variable is compared against that column.
- User variables — a value set for each user, matched against the rule’s column.
User variables can take up to 5 minutes to apply. During this time, users can’t access any rows in tables with RLS rules.
Example
Aleads table has a sales_rep_id column holding the id of each sales rep. You want every rep to see only their own leads.
| lead_name | deal_stage | sales_rep_id | sales_rep |
|---|---|---|---|
| ACME | Prospect | 1 | John Doe |
| Contoso | Prospect | 2 | Jane Smith |
| Fabrikam | Proposal | 2 | Jane Smith |
Create a rule
- Column:
sales_rep_id - Operator:
= - User variable:
rep_id(any name works) - Apply to tables:
leads
The
IN and NOT IN operators only support string user variables at this time.Create user variables
- For John Doe:
- Variable:
rep_id(must match the column above) - Value:
1 - Users: select
john.doe@example.comfrom the dropdown
- Variable:
- For Jane Smith:
- Variable:
rep_id - Value:
2 - Users: select
jane.smith@example.comfrom the dropdown
- Variable:
sales_rep_id is 1, and Jane Smith only the rows where it is 2.
JSON format
User variables are stored as JSON, and the value type must match the column type in your database. String value — for= operators:
>:
IN operators:
IN operators:
true and 22 are stored as strings, not as a boolean or a number.
Boolean value:
Numeric values are stored as the
UInt64 type.Access Preview
Select a table and a user — for exampleleads and john.doe@example.com — to see their access:
- 33.3% accessible
- Total rows: 3
- User can access: 1
john.doe@example.comis bound by an access rule
Pair with page level access control
Access rules decide which tables and rows a user sees when they query; Page Level Access Control decides which pages they can open. For customer-facing reports where each customer should see only their own data, use them together: per-page access inaccess.yaml, table restrictions and RLS rules on the underlying tables.
