Row-Level Security
Row-Level Security (RLS) in the Data Catalog restricts which rows a user can access within a table based on governance policies. RLS policies are evaluated at query time and inject filter conditions into the query before execution, ensuring users only see data they are authorized to access.
How RLS Works
RLS policies are implemented as governance policies of type ACCESS_CONTROL with rules that define row-level filtering conditions. When a query targets a table covered by an RLS policy, the policy evaluator determines which filter predicates to apply based on the user's attributes.
User Query: SELECT * FROM customers
|
v
Load RLS Policies for 'customers' table
|
v
Evaluate User Attributes Against Policy Rules
|
v
Inject Row Filters: WHERE region IN ('US', 'EU')
|
v
Execute Filtered QueryRLS Policy Configuration
| Field | Description |
|---|---|
policyType | Set to ACCESS_CONTROL |
scopeType | Typically TABLE or DATABASE |
scopeEntities | List of table FQNs or IDs the policy applies to |
enforcementMode | Controls whether filtering is strict or advisory |
rules | List of filter rules with conditions |
Rule Parameters for RLS
| Parameter | Description |
|---|---|
attribute | User attribute to match (e.g., region, department) |
value | Expected value for the attribute |
operator | Comparison operator (equals, contains, regex) |
column | Table column to filter on |
filterExpression | SQL predicate to inject into the query |
Example RLS Policy
{
"name": "Regional Data Access",
"policyType": "ACCESS_CONTROL",
"scopeType": "TABLE",
"scopeEntities": ["delta.sales.customers"],
"enforcementMode": "HARD_ENFORCE",
"rules": [
{
"name": "Region Filter",
"ruleType": "ATTRIBUTE_MATCH",
"parameters": {
"attribute": "region",
"value": "${user.region}",
"operator": "equals"
},
"enabled": true,
"order": 1
}
],
"enforcementActions": [
{
"actionType": "LOG",
"parameters": {
"logLevel": "INFO"
},
"order": 1
}
]
}Scope Levels
RLS policies support multiple scope levels for flexible coverage.
| Scope Level | Filter Applied To |
|---|---|
TABLE | Specific tables listed in scope entities |
DATABASE | All tables in the specified database |
SCHEMA | All tables in the specified schema |
TAG | All tables tagged with the specified tag |
CLASSIFICATION | All tables with the specified classification |
GLOBAL | All tables across all catalogs |
Enforcement Actions
When an RLS violation is detected, the configured enforcement actions execute in order.
| Action Type | Description |
|---|---|
BLOCK | Prevent query execution entirely |
MASK | Apply data masking to restricted rows |
LOG | Record the access attempt in the audit log |
ALERT | Send an alert to data stewards |
NOTIFY | Notify the user about restricted access |
Combining RLS with Other Policies
RLS policies can coexist with other governance policy types. The policy evaluator processes all applicable policies in priority order. A higher priority number means the policy is evaluated first.
| Policy Type | Interaction with RLS |
|---|---|
| Column masking | Applied after row filtering |
| Classification | Determines which RLS scope applies |
| Audit | Logs all access regardless of RLS outcome |
| Usage limits | Applied independently of row filters |