Skip to main content
Row level security (RLS) controls which rows of data a user can see in a source. You define a rule on a table and a user variable for each user; a user only sees rows where their variable matches the column named in the rule.
To use RLS with a Direct Connector, refer to that connector’s documentation.
RLS rules apply per user, through user variables — they can’t be assigned to Groups.
To set up RLS, open the Access Settings for your organization. Applying a rule to a source takes two parts:
  • A rule — specifies which tables are affected, which column determines access, and which user variable is compared against that column.
  • User variables — a value set for each user, matched against the rule’s column.
A rule applies to everyone or to no one by default. When it applies to no one, you grant access to specific users yourself.
User variables can take up to 5 minutes to apply. During this time, users can’t access any rows in tables with RLS rules.
To check a rule before you rely on it, use the Access Preview tool: select a table and a user to see how many rows that user can access.

Example

A leads table has a sales_rep_id column holding the id of each sales rep. You want every rep to see only their own leads.
lead_namedeal_stagesales_rep_idsales_rep
ACMEProspect1John Doe
ContosoProspect2Jane Smith
FabrikamProposal2Jane Smith

Create a rule

  • Column: sales_rep_id
  • Operator: =
  • User variable: rep_id (any name works)
  • Apply to tables: leads
The IN and NOT IN operators only support string user variables at this time.

Create user variables

  1. For John Doe:
    • Variable: rep_id (must match the column above)
    • Value: 1
    • Users: select john.doe@example.com from the dropdown
  2. For Jane Smith:
    • Variable: rep_id
    • Value: 2
    • Users: select jane.smith@example.com from the dropdown
Now John Doe sees only the rows where sales_rep_id is 1, and Jane Smith only the rows where it is 2.

JSON format

User variables are stored as JSON, and the value type must match the column type in your database. String value — for = operators: 
"123"
Numeric value — for operators like >: 
123
Numeric array — for IN operators: 
[1, 23, 30]
String array — for IN operators: 
["abc", "true", "22"]
Here both true and 22 are stored as strings, not as a boolean or a number. Boolean value: 
true
Numeric values are stored as the UInt64 type.

Access Preview

Select a table and a user — for example leads and john.doe@example.com — to see their access:
  • 33.3% accessible
  • Total rows: 3
  • User can access: 1
  • john.doe@example.com is bound by an access rule

Pair with page level access control

Row level security decides which rows a user sees when they query; Page Level Access Control decides which pages they can open. For customer-facing reports where each customer should see only their own data, use them together: per-page access in access.yaml, RLS rules on the underlying tables.