> For the complete documentation index, see [llms.txt](https://docs.toucanai.cloud/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.toucanai.cloud/build/security-and-governance/row-level-security-rls-operators.md).

# Row-Level Security (RLS) operators

{% hint style="info" %}
**Target Audience**: Non technical users & Developers
{% endhint %}

#### TL;DR

Define granular data access by using logical operators (e.g., `contains`, `greater than`) to map User Attributes to Dataset Fields, moving beyond simple 1:1 equality.

***

#### When to use it

Use RLS operators when you need to implement complex multi-tenant security patterns, such as:

* **Hierarchical Access**: Allowing a user to see all data where a field `contains` their department name.
* **Numerical Thresholds**: Restricting data based on `greater than` or `less than` values (e.g., seniority levels or budget limits).
* **Temporal Filtering**: Limiting access to records `sooner than` or `later than` a specific date attribute.
* **Existence Checks**: Filtering rows based on whether a specific user attribute `is set` or `is not set`.

***

#### Core Functionality

The RLS engine applies security filters to SQL queries at runtime. It supports:

* **Dynamic Injection**: Resolving User Attributes from authentication tokens to filter rows.
* **Logic Grouping**: Using `AND` and `OR` blocks to wrap multiple rules for a single table.
* **Context-Aware UI**: Automatically hiding or disabling input fields for unary operators (e.g., `is set`) that only require one operand.

***

#### Prerequisites

* **Connected Database**: An active PostgreSQL or Google BigQuery connection.
* **User Attributes**: A backend system capable of generating tokens with custom attributes for comparison.

***

#### Types and Properties

Operators are automatically filtered based on the data type of the selected column and user attribute.

**Operator Availability by Type**

| **Data Type**    | **Available Operators**                                                                                                                                                                      |
| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| String           | `is equal to`, `is different from`, `is set`, `is not set`, `is in`, `is not in`                                                                                                             |
| Integer, Numeric | `is equal to`, `is different from`, `is set`, `is not set`, `is greater than`, `is greater than or equal to`, `is less than`, `is less than or equal to`, `is in (list)`, `is not in (list)` |
| Boolean          | `is equal to`, `is different from`, `is set`, `is not set`, `is in (list)`, `is not in (list)`                                                                                               |
| Date             | `is equal to`, `is different from`, `is set`, `is not set`, `is sooner than`, `is later than`, `is in (list)`, `is not in (list)`                                                            |

***

#### Where to use it

RLS operators are configured within the **Databases** section of the platform:

1. Navigate to a specific table in your schema.
2. Select the **Access Rules** tab.
3. Click on the rule block to select the **Dataset field**, the **Operator**, and the **User attribute**.

***

#### Constraints

* **Type Matching**: You can only refer to a date field using a User Attribute explicitly typed as a Date.
* **List Uniformity**: Operators using "in (list)" must contain values of a single, uniform type
* **No Regex Support**: Regular expressions are excluded from RLS configurations to prevent security vulnerabilities.
* **Read-Only**: RLS only impacts data extraction; Toucan.ai never writes back to the source database.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.toucanai.cloud/build/security-and-governance/row-level-security-rls-operators.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.