Skip to content

CONCEPT Cited by 1 source

Row-level security

Row-level security (RLS) is the authorization mechanism that filters which rows of a dataset a given user can see, as a function of their identity. The filter is applied at query time, not at application dispatch — the query engine (database or BI provider) enforces the rule even if the calling application forgets to.

Compare with column-level security (hides columns based on identity — e.g. PII visibility) and dataset-level authorization (all-or-nothing access to a whole table/dashboard).

Canonical shape

Given a dataset sales_orders with a region column, RLS policy:

VIEWER region = sales_orders.region

A user in the EMEA region sees only EMEA rows; a user in APAC sees only APAC rows; a dashboard that renders the dataset applies the filter transparently. The filter is typically a predicate on a user attribute (region, tenant ID, organization hierarchy, product line).

Where it lives in the stack

  • Database-native RLS. PostgreSQL's CREATE POLICY on tables; policies are SQL predicates keyed to session variables. The engine enforces the predicate against every query.
  • BI-layer RLS. QuickSight, Looker, Tableau all support RLS rules attached to datasets or users. The BI engine applies the predicate when the dashboard queries the backing source.
  • Application-layer RLS. A middleware layer injects a WHERE clause before passing queries to the database. Brittle — if any query path bypasses the middleware, the filter is bypassed.

The strongest RLS lives in the engine (database or BI provider), so forgetting to apply the filter is impossible. The weakest lives in application code, where coverage depends on discipline.

RLS in embedded analytics

When a BI dashboard is embedded in a host application (see concepts/embedded-analytics), RLS is the mechanism that makes one dashboard safe to show to thousands of users with different data-access rights. The per-viewer signed embed URL (concepts/signed-embed-url) carries the viewer's RLS context, so the dashboard reflects only that viewer's authorized rows — the same dashboard definition, filtered per user.

Seen in

  • sources/2026-04-21-aws-oldcastle-infor-aurora-quicksight-real-time-analytics — canonical wiki instance. Oldcastle applies QuickSight RLS keyed to Infor user roles and organizational context; Lambda maps Infor session tokens → QuickSight users + RLS rules at embed-URL mint time. "Row-level security rules to make sure that users only see data that they're authorized to access."
Last updated · 476 distilled / 1,218 read