Row-Level Security

Row-Level Security (RLS) restricts which rows a user can see based on their roles, attributes, and organizational context. The RLS engine automatically injects WHERE clauses into queries before they reach the execution engine, ensuring that users only access data they are authorized to see.

How RLS Works

User Query                    RLS Engine                    Execution Engine
    |                            |                               |
    |--- SELECT * FROM orders -->|                               |
    |                            |--- Resolve user policies ---->|
    |                            |--- Build WHERE predicates --->|
    |                            |--- Inject into query -------->|
    |                            |                               |
    |                            |--- SELECT * FROM orders   --->|
    |                            |    WHERE tenant_id = ?        |
    |                            |    AND region IN (...)        |
    |                            |                               |
    |<-- Filtered results -------|<-- Results -------------------|

Policy Types

Type	Description	Example
Tenant isolation	All queries filtered by tenant ID	`tenant_id = :tenantId`
Role-based	Data filtered by user role	Managers see all regions; analysts see assigned regions
Attribute-based	Data filtered by user attributes	Users see data for their department only
Column-value	Specific column values restricted	Financial data restricted to finance role

Policy Resolution

Policies are resolved in the following order:

Tenant policy: Always applied, non-negotiable
Table-level policies: Applied if the queried table has registered policies
Column-level policies: Applied for specific sensitive columns
User attribute policies: Applied based on the user's profile attributes

Multiple policies on the same table are combined with AND logic.

Policy Configuration

RLS policies are configured through the governance service and stored in the data catalog. The Query Engine fetches applicable policies at query time via the GovernanceServiceClient.

Field	Description
`tableName`	Table the policy applies to
`predicateExpression`	SQL predicate to inject
`applicableRoles`	Roles this policy applies to
`excludedRoles`	Roles exempt from this policy
`priority`	Evaluation order for conflicting policies

Performance Considerations

RLS predicates are injected before query optimization, allowing the engine to push them down to storage
Policies are cached per-tenant with short TTL to balance security freshness and performance
Complex policies with subqueries may impact query planning time

Overview Data Masking