Row-Level Security (RLS) operators

Target Audience: Non technical users & Developers

TL;DR

Define granular data access by using logical operators (e.g., contains, greater than) to map User Attributes to Dataset Fields, moving beyond simple 1:1 equality.

When to use it

Use RLS operators when you need to implement complex multi-tenant security patterns, such as:

Hierarchical Access: Allowing a user to see all data where a field contains their department name.
Numerical Thresholds: Restricting data based on greater than or less than values (e.g., seniority levels or budget limits).
Temporal Filtering: Limiting access to records sooner than or later than a specific date attribute.
Existence Checks: Filtering rows based on whether a specific user attribute is set or is not set.

Core Functionality

The RLS engine applies security filters to SQL queries at runtime. It supports:

Dynamic Injection: Resolving User Attributes from authentication tokens to filter rows.
Logic Grouping: Using AND and OR blocks to wrap multiple rules for a single table.
Context-Aware UI: Automatically hiding or disabling input fields for unary operators (e.g., is set) that only require one operand.

Prerequisites

Connected Database: An active PostgreSQL or Google BigQuery connection.
User Attributes: A backend system capable of generating tokens with custom attributes for comparison.

Types and Properties

Operators are automatically filtered based on the data type of the selected column and user attribute.

Operator Availability by Type

Data Type

Available Operators

String

is equal to, is different from, is set, is not set, is in, is not in

Integer, Numeric

is equal to, is different from, is set, is not set, is greater than, is greater than or equal to, is less than, is less than or equal to, is in (list), is not in (list)

Boolean

is equal to, is different from, is set, is not set, is in (list), is not in (list)

Date

is equal to, is different from, is set, is not set, is sooner than, is later than, is in (list), is not in (list)

Where to use it

RLS operators are configured within the Databases section of the platform:

Navigate to a specific table in your schema.
Select the Access Rules tab.
Click on the rule block to select the Dataset field, the Operator, and the User attribute.

Constraints

Type Matching: You can only refer to a date field using a User Attribute explicitly typed as a Date.
List Uniformity: Operators using "in (list)" must contain values of a single, uniform type
No Regex Support: Regular expressions are excluded from RLS configurations to prevent security vulnerabilities.
Read-Only: RLS only impacts data extraction; Toucan.ai never writes back to the source database.

PreviousSecurity & Governance NextCharts

Last updated 24 days ago

Was this helpful?

hashtagTL;DR

hashtagWhen to use it

hashtagCore Functionality

hashtagPrerequisites

hashtagTypes and Properties

hashtagWhere to use it

hashtagConstraints