<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-28 -->
<p>Row-Level Security (RLS) enables fine-grained access control by automatically filtering data based on user context and policy rules. Unlike traditional authorization that controls access to entire tables or labels, RLS controls access to individual rows (nodes and relationships), ensuring users only see data they are permitted to access.</p>
<h3 id="understanding-row-level-security" class="position-relative d-flex align-items-center group">
<span>Understanding Row-Level Security</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="understanding-row-level-security"
aria-haspopup="dialog"
aria-label="Share link: Understanding Row-Level Security">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script><p>RLS works by applying security predicates to queries automatically. When a user executes a query, Geode evaluates RLS policies and filters results to include only rows matching the policy conditions. This filtering is transparent to the application and cannot be bypassed.</p>
<h4 id="how-rls-works" class="position-relative d-flex align-items-center group">
<span>How RLS Works</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="how-rls-works"
aria-haspopup="dialog"
aria-label="Share link: How RLS Works">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">User Query:
</span></span><span class="line"><span class="cl"> MATCH (c:Customer) RETURN c.name
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">Without RLS:
</span></span><span class="line"><span class="cl"> Returns all 10,000 customers
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">With RLS Policy (tenant isolation):
</span></span><span class="line"><span class="cl"> USING (c.tenant_id = current_user_property('tenant_id'))
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">Result for User in Tenant 'acme':
</span></span><span class="line"><span class="cl"> Returns only 500 customers belonging to 'acme'
</span></span></code></pre></div>
<h4 id="rls-vs-traditional-authorization" class="position-relative d-flex align-items-center group">
<span>RLS vs Traditional Authorization</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="rls-vs-traditional-authorization"
aria-haspopup="dialog"
aria-label="Share link: RLS vs Traditional Authorization">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><table>
<thead>
<tr>
<th>Aspect</th>
<th>Traditional Authorization</th>
<th>Row-Level Security</th>
</tr>
</thead>
<tbody>
<tr>
<td>Granularity</td>
<td>Label/Table level</td>
<td>Individual row level</td>
</tr>
<tr>
<td>Filtering</td>
<td>All or nothing</td>
<td>Dynamic per-row</td>
</tr>
<tr>
<td>Context-Aware</td>
<td>Limited</td>
<td>Full user context</td>
</tr>
<tr>
<td>Application Changes</td>
<td>Required for filtering</td>
<td>Transparent</td>
</tr>
<tr>
<td>Performance</td>
<td>Manual optimization</td>
<td>Automatic optimization</td>
</tr>
</tbody>
</table>
<h3 id="creating-rls-policies" class="position-relative d-flex align-items-center group">
<span>Creating RLS Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="creating-rls-policies"
aria-haspopup="dialog"
aria-label="Share link: Creating RLS Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="basic-policy-syntax" class="position-relative d-flex align-items-center group">
<span>Basic Policy Syntax</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="basic-policy-syntax"
aria-haspopup="dialog"
aria-label="Share link: Basic Policy Syntax">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">policy_name</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">LabelName</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">operation_type</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">role_or_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">predicate_expression</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="policy-components" class="position-relative d-flex align-items-center group">
<span>Policy Components</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="policy-components"
aria-haspopup="dialog"
aria-label="Share link: Policy Components">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><ul>
<li><strong>policy_name</strong>: Unique identifier for the policy</li>
<li><strong>LabelName</strong>: Node or relationship label to protect</li>
<li><strong>operation_type</strong>: SELECT, INSERT, UPDATE, DELETE, or ALL</li>
<li><strong>role_or_user</strong>: Target role or specific user</li>
<li><strong>predicate_expression</strong>: Boolean expression that must be true for access</li>
</ul>
<h4 id="basic-examples" class="position-relative d-flex align-items-center group">
<span>Basic Examples</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="basic-examples"
aria-haspopup="dialog"
aria-label="Share link: Basic Examples">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Tenant</span><span class="w"> </span><span class="py">isolation</span><span class="p">:</span><span class="w"> </span><span class="nc">Users</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">tenant</span><span class="err">'</span><span class="py">s</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">application_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">tenant_id</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Manager</span><span class="w"> </span><span class="py">sees</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">team</span><span class="err">'</span><span class="py">s</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">manager_team_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">manager</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">department</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Users</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">modify</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">own</span><span class="w"> </span><span class="py">records</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">self_edit</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">UserProfile</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">UPDATE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">authenticated_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">user_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="operation-specific-policies" class="position-relative d-flex align-items-center group">
<span>Operation-Specific Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="operation-specific-policies"
aria-haspopup="dialog"
aria-label="Share link: Operation-Specific Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="select-policies" class="position-relative d-flex align-items-center group">
<span>SELECT Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="select-policies"
aria-haspopup="dialog"
aria-label="Share link: SELECT Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Control which rows users can read:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Classification</span><span class="err">-</span><span class="py">based</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">classification_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Document</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">classification_level</span><span class="w"> </span><span class="err"><</span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">clearance_level</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Geographic</span><span class="w"> </span><span class="py">restriction</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">regional_data</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">CustomerData</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">regional_analyst</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">region</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">assigned_region</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Time</span><span class="err">-</span><span class="py">based</span><span class="w"> </span><span class="py">visibility</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">current_records</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Contract</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">standard_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">end_date</span><span class="w"> </span><span class="err">></span><span class="p">=</span><span class="w"> </span><span class="py">current_date</span><span class="p">()</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">end_date</span><span class="w"> </span><span class="py">IS</span><span class="w"> </span><span class="py">NULL</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="insert-policies" class="position-relative d-flex align-items-center group">
<span>INSERT Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="insert-policies"
aria-haspopup="dialog"
aria-label="Share link: INSERT Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Control which rows users can create:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Tenant</span><span class="w"> </span><span class="py">must</span><span class="w"> </span><span class="py">match</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">new</span><span class="w"> </span><span class="py">records</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_insert</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Order</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">INSERT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">application_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">tenant_id</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Department</span><span class="w"> </span><span class="py">restriction</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">creation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">dept_create</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Ticket</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">INSERT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">support_agent</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">assigned_department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">department</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Validate</span><span class="w"> </span><span class="py">ownership</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">creation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">owner_insert</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Note</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">INSERT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">created_by</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="update-policies" class="position-relative d-flex align-items-center group">
<span>UPDATE Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="update-policies"
aria-haspopup="dialog"
aria-label="Share link: UPDATE Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Control which rows users can modify:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Only</span><span class="w"> </span><span class="py">modify</span><span class="w"> </span><span class="py">own</span><span class="w"> </span><span class="py">records</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">self_update</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">UserSettings</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">UPDATE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">authenticated_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">user_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Manager</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">update</span><span class="w"> </span><span class="py">team</span><span class="err">'</span><span class="py">s</span><span class="w"> </span><span class="py">records</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">manager_update</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">UPDATE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">manager</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">department</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">employee_id</span><span class="w"> </span><span class="p">!=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">employee_id</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Prevent</span><span class="w"> </span><span class="py">modification</span><span class="w"> </span><span class="py">of</span><span class="w"> </span><span class="py">closed</span><span class="w"> </span><span class="py">records</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">open_records_only</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Ticket</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">UPDATE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">support_agent</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">status</span><span class="w"> </span><span class="p">!=</span><span class="w"> </span><span class="err">'</span><span class="py">CLOSED</span><span class="err">'</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="delete-policies" class="position-relative d-flex align-items-center group">
<span>DELETE Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="delete-policies"
aria-haspopup="dialog"
aria-label="Share link: DELETE Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Control which rows users can delete:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Users</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">delete</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">own</span><span class="w"> </span><span class="py">temporary</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">self_delete</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">TempFile</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">DELETE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">owner_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Admins</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">delete</span><span class="w"> </span><span class="py">within</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">tenant</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_delete</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">AuditRecord</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">DELETE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">tenant_admin</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">tenant_id</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">created_at</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">'</span><span class="py">7</span><span class="w"> </span><span class="py">years</span><span class="err">'</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Prevent</span><span class="w"> </span><span class="py">deletion</span><span class="w"> </span><span class="py">of</span><span class="w"> </span><span class="py">linked</span><span class="w"> </span><span class="py">records</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">no_delete_linked</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">DELETE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">admin</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">NOT</span><span class="w"> </span><span class="py">EXISTS</span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">this</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">HAS_ORDER</span><span class="p">]</span><span class="err">-></span><span class="p">(:</span><span class="nc">Order</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">Order</span><span class="err">.</span><span class="py">status</span><span class="w"> </span><span class="p">!=</span><span class="w"> </span><span class="err">'</span><span class="py">CANCELLED</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="policy-predicates" class="position-relative d-flex align-items-center group">
<span>Policy Predicates</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="policy-predicates"
aria-haspopup="dialog"
aria-label="Share link: Policy Predicates">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="using-user-context" class="position-relative d-flex align-items-center group">
<span>Using User Context</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="using-user-context"
aria-haspopup="dialog"
aria-label="Share link: Using User Context">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Current</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">ID</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">owner_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">())</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">property</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">region</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">assigned_region</span><span class="err">'</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">classification</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">current_user_roles</span><span class="p">())</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Session</span><span class="w"> </span><span class="py">attribute</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">project_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_session_property</span><span class="p">(</span><span class="err">'</span><span class="py">active_project</span><span class="err">'</span><span class="p">))</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="complex-predicates" class="position-relative d-flex align-items-center group">
<span>Complex Predicates</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="complex-predicates"
aria-haspopup="dialog"
aria-label="Share link: Complex Predicates">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Multiple</span><span class="w"> </span><span class="py">conditions</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">AND</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">combined_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">SalesData</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">sales_rep</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">region</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">region</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">fiscal_year</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">active_year</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">is_confidential</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">false</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">conditions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">flexible_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Project</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">owner_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">team_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">team_id</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">is_public</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Subqueries</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">manager_hierarchy</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">manager</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">manager_id</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">employee_id</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">manager_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">employee_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="graph-pattern-predicates" class="position-relative d-flex align-items-center group">
<span>Graph Pattern Predicates</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="graph-pattern-predicates"
aria-haspopup="dialog"
aria-label="Share link: Graph Pattern Predicates">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Access</span><span class="w"> </span><span class="py">based</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">relationship</span><span class="w"> </span><span class="py">existence</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">project_member</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">ProjectDocument</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">EXISTS</span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">this</span><span class="p">)</span><span class="err"><-</span><span class="p">[:</span><span class="nc">BELONGS_TO</span><span class="p">]</span><span class="err">-</span><span class="p">(:</span><span class="nc">Project</span><span class="p">)</span><span class="err"><-</span><span class="p">[:</span><span class="nc">MEMBER_OF</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">u</span><span class="err">.</span><span class="py">id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Access</span><span class="w"> </span><span class="py">based</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">graph</span><span class="w"> </span><span class="py">traversal</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">org_hierarchy</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Report</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">manager</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">EXISTS</span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">this</span><span class="p">)</span><span class="err"><-</span><span class="p">[:</span><span class="nc">AUTHORED_BY</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">author</span><span class="p">:</span><span class="nc">Employee</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">author</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">REPORTS_TO</span><span class="err">*</span><span class="py">0</span><span class="err">.</span><span class="mf">.3</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">mgr</span><span class="p">:</span><span class="nc">Employee</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">mgr</span><span class="err">.</span><span class="py">id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="multi-tenant-isolation" class="position-relative d-flex align-items-center group">
<span>Multi-Tenant Isolation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="multi-tenant-isolation"
aria-haspopup="dialog"
aria-label="Share link: Multi-Tenant Isolation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="complete-tenant-isolation" class="position-relative d-flex align-items-center group">
<span>Complete Tenant Isolation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="complete-tenant-isolation"
aria-haspopup="dialog"
aria-label="Share link: Complete Tenant Isolation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Apply</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">labels</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation_customer</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">application</span><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation_order</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Order</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">application</span><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation_product</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Product</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">application</span><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Helper</span><span class="w"> </span><span class="py">function</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">cleaner</span><span class="w"> </span><span class="py">policies</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">FUNCTION</span><span class="w"> </span><span class="py">current_tenant</span><span class="p">()</span><span class="w"> </span><span class="py">RETURNS</span><span class="w"> </span><span class="py">STRING</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="err">$$</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">tenant_id</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">$$;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="cross-tenant-access-for-admins" class="position-relative d-flex align-items-center group">
<span>Cross-Tenant Access for Admins</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="cross-tenant-access-for-admins"
aria-haspopup="dialog"
aria-label="Share link: Cross-Tenant Access for Admins">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Super</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">sees</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">tenants</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">super_admin_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">super_admin</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">true</span><span class="p">)</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">No</span><span class="w"> </span><span class="py">restriction</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Tenant</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">sees</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">tenant</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_admin_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">tenant_admin</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Support</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">view</span><span class="w"> </span><span class="py">but</span><span class="w"> </span><span class="py">not</span><span class="w"> </span><span class="py">modify</span><span class="w"> </span><span class="py">across</span><span class="w"> </span><span class="py">tenants</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">support_view</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">support_team</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">true</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="shared-resources" class="position-relative d-flex align-items-center group">
<span>Shared Resources</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="shared-resources"
aria-haspopup="dialog"
aria-label="Share link: Shared Resources">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Some</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">is</span><span class="w"> </span><span class="py">shared</span><span class="w"> </span><span class="py">across</span><span class="w"> </span><span class="py">tenants</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">shared_templates</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Template</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">application</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">is_shared</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Global</span><span class="w"> </span><span class="py">reference</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">reference_data</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Country</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">application</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">true</span><span class="p">)</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Everyone</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">read</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="hierarchical-data-access" class="position-relative d-flex align-items-center group">
<span>Hierarchical Data Access</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="hierarchical-data-access"
aria-haspopup="dialog"
aria-label="Share link: Hierarchical Data Access">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="organizational-hierarchy" class="position-relative d-flex align-items-center group">
<span>Organizational Hierarchy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="organizational-hierarchy"
aria-haspopup="dialog"
aria-label="Share link: Organizational Hierarchy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Employees</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">peers</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">downward</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">org_hierarchy</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Can</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">self</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">employee_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">employee_id</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Can</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">peers</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">same</span><span class="w"> </span><span class="py">department</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="p">(</span><span class="py">department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">department</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">level</span><span class="w"> </span><span class="err"><</span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">level</span><span class="err">'</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Can</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">direct</span><span class="w"> </span><span class="py">reports</span><span class="w"> </span><span class="p">(</span><span class="py">recursively</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">EXISTS</span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">this</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">REPORTS_TO</span><span class="err">*</span><span class="py">1</span><span class="err">.</span><span class="mf">.10</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">mgr</span><span class="p">:</span><span class="nc">Employee</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">mgr</span><span class="err">.</span><span class="py">employee_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">employee_id</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Executives</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">everyone</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">executive_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">executive</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">true</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="geographic-hierarchy" class="position-relative d-flex align-items-center group">
<span>Geographic Hierarchy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="geographic-hierarchy"
aria-haspopup="dialog"
aria-label="Share link: Geographic Hierarchy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Regional</span><span class="w"> </span><span class="py">managers</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">region</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">regional_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Store</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">regional_manager</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">region</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">region</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Country</span><span class="w"> </span><span class="py">managers</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">regions</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">country</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">country_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Store</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">country_manager</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">country</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">country</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Global</span><span class="w"> </span><span class="py">sees</span><span class="w"> </span><span class="py">everything</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">global_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Store</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">global_admin</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">true</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="data-classification" class="position-relative d-flex align-items-center group">
<span>Data Classification</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="data-classification"
aria-haspopup="dialog"
aria-label="Share link: Data Classification">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="classification-based-access" class="position-relative d-flex align-items-center group">
<span>Classification-Based Access</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="classification-based-access"
aria-haspopup="dialog"
aria-label="Share link: Classification-Based Access">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Define</span><span class="w"> </span><span class="py">classification</span><span class="w"> </span><span class="py">levels</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">PUBLIC</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">0</span><span class="p">,</span><span class="w"> </span><span class="py">INTERNAL</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">1</span><span class="p">,</span><span class="w"> </span><span class="py">CONFIDENTIAL</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">2</span><span class="p">,</span><span class="w"> </span><span class="py">SECRET</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">3</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Users</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">at</span><span class="w"> </span><span class="py">or</span><span class="w"> </span><span class="py">below</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">clearance</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">classification_policy</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Document</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">classification_level</span><span class="w"> </span><span class="err"><</span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">clearance</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Writing</span><span class="w"> </span><span class="py">requires</span><span class="w"> </span><span class="py">exact</span><span class="w"> </span><span class="py">level</span><span class="w"> </span><span class="py">match</span><span class="w"> </span><span class="py">or</span><span class="w"> </span><span class="py">higher</span><span class="w"> </span><span class="py">clearance</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">classification_write</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Document</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">INSERT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">classification_level</span><span class="w"> </span><span class="err"><</span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">clearance</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Cannot</span><span class="w"> </span><span class="py">downgrade</span><span class="w"> </span><span class="py">classification</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">no_downgrade</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Document</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">UPDATE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">NEW</span><span class="err">.</span><span class="py">classification_level</span><span class="w"> </span><span class="err">></span><span class="p">=</span><span class="w"> </span><span class="py">OLD</span><span class="err">.</span><span class="py">classification_level</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">current_user_has_role</span><span class="p">(</span><span class="err">'</span><span class="py">classification_admin</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="category-based-access" class="position-relative d-flex align-items-center group">
<span>Category-Based Access</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="category-based-access"
aria-haspopup="dialog"
aria-label="Share link: Category-Based Access">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Users</span><span class="w"> </span><span class="py">have</span><span class="w"> </span><span class="py">list</span><span class="w"> </span><span class="py">of</span><span class="w"> </span><span class="py">accessible</span><span class="w"> </span><span class="py">categories</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">category_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">ResearchData</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">researcher</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">category</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">ANY</span><span class="p">(</span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">authorized_categories</span><span class="err">'</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="time-based-policies" class="position-relative d-flex align-items-center group">
<span>Time-Based Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="time-based-policies"
aria-haspopup="dialog"
aria-label="Share link: Time-Based Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="temporal-access-control" class="position-relative d-flex align-items-center group">
<span>Temporal Access Control</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="temporal-access-control"
aria-haspopup="dialog"
aria-label="Share link: Temporal Access Control">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Business</span><span class="w"> </span><span class="py">hours</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">business_hours</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">ProductionData</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">standard_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">EXTRACT</span><span class="p">(</span><span class="py">HOUR</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">())</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">8</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">18</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">EXTRACT</span><span class="p">(</span><span class="py">DOW</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">())</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">1</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Emergency</span><span class="w"> </span><span class="py">override</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="kd">on</span><span class="err">-</span><span class="py">call</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">emergency_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">ProductionData</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="kd">on</span><span class="py">_call_engineer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">true</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Historical</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">window</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">historical_window</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">AuditLog</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">auditor</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">log_date</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">audit_start_date</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">audit_end_date</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="record-lifecycle" class="position-relative d-flex align-items-center group">
<span>Record Lifecycle</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="record-lifecycle"
aria-haspopup="dialog"
aria-label="Share link: Record Lifecycle">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Only</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">active</span><span class="w"> </span><span class="py">records</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">active_records</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Contract</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">status</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">ACTIVE</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="p">(</span><span class="py">status</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">EXPIRED</span><span class="err">'</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">current_user_has_role</span><span class="p">(</span><span class="err">'</span><span class="py">archive_viewer</span><span class="err">'</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Soft</span><span class="w"> </span><span class="py">delete</span><span class="w"> </span><span class="py">visibility</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">soft_delete</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">application</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">deleted_at</span><span class="w"> </span><span class="py">IS</span><span class="w"> </span><span class="py">NULL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">current_user_has_role</span><span class="p">(</span><span class="err">'</span><span class="py">admin</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="policy-management" class="position-relative d-flex align-items-center group">
<span>Policy Management</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="policy-management"
aria-haspopup="dialog"
aria-label="Share link: Policy Management">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="viewing-policies" class="position-relative d-flex align-items-center group">
<span>Viewing Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="viewing-policies"
aria-haspopup="dialog"
aria-label="Share link: Viewing Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">policies</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">POLICIES</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">policies</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">label</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">POLICIES</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">policies</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">POLICIES</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Detailed</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span><span class="py">information</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">rls_policies</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">label_name</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">Customer</span><span class="err">';</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="modifying-policies" class="position-relative d-flex align-items-center group">
<span>Modifying Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="modifying-policies"
aria-haspopup="dialog"
aria-label="Share link: Modifying Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Update</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span><span class="py">predicate</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant</span><span class="p">()</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">is_active</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Change</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span><span class="py">target</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">manager_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">senior_manager</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Rename</span><span class="w"> </span><span class="py">policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">old_name</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">RENAME</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">new_name</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="disabling-and-dropping-policies" class="position-relative d-flex align-items-center group">
<span>Disabling and Dropping Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="disabling-and-dropping-policies"
aria-haspopup="dialog"
aria-label="Share link: Disabling and Dropping Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Temporarily</span><span class="w"> </span><span class="py">disable</span><span class="w"> </span><span class="py">policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w"> </span><span class="py">DISABLE</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Re</span><span class="err">-</span><span class="py">enable</span><span class="w"> </span><span class="py">policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w"> </span><span class="py">ENABLE</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Drop</span><span class="w"> </span><span class="py">policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DROP</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Drop</span><span class="w"> </span><span class="py">if</span><span class="w"> </span><span class="py">exists</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DROP</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">IF</span><span class="w"> </span><span class="py">EXISTS</span><span class="w"> </span><span class="py">old_policy</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="policy-bypass" class="position-relative d-flex align-items-center group">
<span>Policy Bypass</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="policy-bypass"
aria-haspopup="dialog"
aria-label="Share link: Policy Bypass">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="bypassing-rls-for-administration" class="position-relative d-flex align-items-center group">
<span>Bypassing RLS for Administration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="bypassing-rls-for-administration"
aria-haspopup="dialog"
aria-label="Share link: Bypassing RLS for Administration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">bypass</span><span class="w"> </span><span class="py">ability</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">BYPASS</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">dba</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Session</span><span class="err">-</span><span class="py">level</span><span class="w"> </span><span class="py">bypass</span><span class="w"> </span><span class="p">(</span><span class="py">requires</span><span class="w"> </span><span class="py">privilege</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">SESSION</span><span class="w"> </span><span class="py">bypass_rls</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Run</span><span class="w"> </span><span class="kd">query</span><span class="w"> </span><span class="nc">without</span><span class="w"> </span><span class="py">RLS</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">c</span><span class="p">:</span><span class="nc">Customer</span><span class="p">)</span><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">count</span><span class="p">(</span><span class="py">c</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Re</span><span class="err">-</span><span class="py">enable</span><span class="w"> </span><span class="py">RLS</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">SESSION</span><span class="w"> </span><span class="py">bypass_rls</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">false</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="audit-access-without-filtering" class="position-relative d-flex align-items-center group">
<span>Audit Access Without Filtering</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="audit-access-without-filtering"
aria-haspopup="dialog"
aria-label="Share link: Audit Access Without Filtering">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Auditors</span><span class="w"> </span><span class="py">need</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">everything</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">compliance</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">compliance_auditor</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">BYPASS</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">compliance_auditor</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">All</span><span class="w"> </span><span class="py">audit</span><span class="w"> </span><span class="py">queries</span><span class="w"> </span><span class="py">logged</span><span class="w"> </span><span class="py">even</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">bypass</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="performance-optimization" class="position-relative d-flex align-items-center group">
<span>Performance Optimization</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="performance-optimization"
aria-haspopup="dialog"
aria-label="Share link: Performance Optimization">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="indexing-for-rls" class="position-relative d-flex align-items-center group">
<span>Indexing for RLS</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="indexing-for-rls"
aria-haspopup="dialog"
aria-label="Share link: Indexing for RLS">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">index</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">commonly</span><span class="w"> </span><span class="py">filtered</span><span class="w"> </span><span class="py">columns</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">INDEX</span><span class="w"> </span><span class="py">tenant_idx</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="p">(</span><span class="py">tenant_id</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">INDEX</span><span class="w"> </span><span class="py">department_idx</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="p">(</span><span class="py">department</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">INDEX</span><span class="w"> </span><span class="py">region_idx</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Store</span><span class="p">(</span><span class="py">region</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Composite</span><span class="w"> </span><span class="py">index</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">multi</span><span class="err">-</span><span class="py">condition</span><span class="w"> </span><span class="py">policies</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">INDEX</span><span class="w"> </span><span class="py">tenant_status_idx</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Order</span><span class="p">(</span><span class="py">tenant_id</span><span class="p">,</span><span class="w"> </span><span class="py">status</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="policy-optimization-tips" class="position-relative d-flex align-items-center group">
<span>Policy Optimization Tips</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="policy-optimization-tips"
aria-haspopup="dialog"
aria-label="Share link: Policy Optimization Tips">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">GOOD</span><span class="p">:</span><span class="w"> </span><span class="nc">Simple</span><span class="w"> </span><span class="py">equality</span><span class="w"> </span><span class="py">checks</span><span class="w"> </span><span class="py">are</span><span class="w"> </span><span class="py">fast</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant</span><span class="p">())</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">GOOD</span><span class="p">:</span><span class="w"> </span><span class="nc">Indexed</span><span class="w"> </span><span class="py">column</span><span class="w"> </span><span class="py">lookups</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">department</span><span class="err">'</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">AVOID</span><span class="p">:</span><span class="w"> </span><span class="nc">Complex</span><span class="w"> </span><span class="py">subqueries</span><span class="w"> </span><span class="py">if</span><span class="w"> </span><span class="py">possible</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Consider</span><span class="w"> </span><span class="py">caching</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">permissions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">GOOD</span><span class="p">:</span><span class="w"> </span><span class="nc">Pre</span><span class="err">-</span><span class="py">computed</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">lists</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">ANY</span><span class="p">(</span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">accessible_ids</span><span class="err">'</span><span class="p">)))</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="analyzing-policy-performance" class="position-relative d-flex align-items-center group">
<span>Analyzing Policy Performance</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="analyzing-policy-performance"
aria-haspopup="dialog"
aria-label="Share link: Analyzing Policy Performance">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Explain</span><span class="w"> </span><span class="kd">query</span><span class="w"> </span><span class="nc">with</span><span class="w"> </span><span class="py">RLS</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">EXPLAIN</span><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">c</span><span class="p">:</span><span class="nc">Customer</span><span class="p">)</span><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">c</span><span class="err">.</span><span class="py">name</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Shows</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="nc">Filter</span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="nc">c</span><span class="err">.</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">tenant_id</span><span class="err">'</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Index</span><span class="w"> </span><span class="py">Scan</span><span class="p">:</span><span class="w"> </span><span class="nc">tenant_idx</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Profile</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">overhead</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">PROFILE</span><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">c</span><span class="p">:</span><span class="nc">Customer</span><span class="p">)</span><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">c</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="testing-rls-policies" class="position-relative d-flex align-items-center group">
<span>Testing RLS Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="testing-rls-policies"
aria-haspopup="dialog"
aria-label="Share link: Testing RLS Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="test-as-different-users" class="position-relative d-flex align-items-center group">
<span>Test as Different Users</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="test-as-different-users"
aria-haspopup="dialog"
aria-label="Share link: Test as Different Users">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Switch</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">context</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">testing</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">SESSION</span><span class="w"> </span><span class="py">AUTHORIZATION</span><span class="w"> </span><span class="err">'</span><span class="py">test_user</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">SESSION</span><span class="w"> </span><span class="py">PROPERTY</span><span class="w"> </span><span class="err">'</span><span class="py">tenant_id</span><span class="err">'</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">acme</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Run</span><span class="w"> </span><span class="kd">query</span><span class="w"> </span><span class="nc">to</span><span class="w"> </span><span class="py">test</span><span class="w"> </span><span class="py">policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">c</span><span class="p">:</span><span class="nc">Customer</span><span class="p">)</span><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">count</span><span class="p">(</span><span class="py">c</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Reset</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">original</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RESET</span><span class="w"> </span><span class="py">SESSION</span><span class="w"> </span><span class="py">AUTHORIZATION</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="policy-verification-queries" class="position-relative d-flex align-items-center group">
<span>Policy Verification Queries</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="policy-verification-queries"
aria-haspopup="dialog"
aria-label="Share link: Policy Verification Queries">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Verify</span><span class="w"> </span><span class="py">no</span><span class="w"> </span><span class="py">cross</span><span class="err">-</span><span class="py">tenant</span><span class="w"> </span><span class="py">leakage</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">tenant_id</span><span class="p">,</span><span class="w"> </span><span class="py">count</span><span class="p">(</span><span class="err">*</span><span class="p">)</span><span class="w"> </span><span class="py">as</span><span class="w"> </span><span class="py">count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GROUP</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">tenant_id</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Should</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">show</span><span class="w"> </span><span class="py">current</span><span class="w"> </span><span class="py">tenant</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Verify</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">expected</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">is</span><span class="w"> </span><span class="py">accessible</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">count</span><span class="p">(</span><span class="err">*</span><span class="p">)</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant</span><span class="p">()</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Compare</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">bypass</span><span class="w"> </span><span class="py">count</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="integration-with-other-security-features" class="position-relative d-flex align-items-center group">
<span>Integration with Other Security Features</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="integration-with-other-security-features"
aria-haspopup="dialog"
aria-label="Share link: Integration with Other Security Features">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="rls-with-rbac" class="position-relative d-flex align-items-center group">
<span>RLS with RBAC</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="rls-with-rbac"
aria-haspopup="dialog"
aria-label="Share link: RLS with RBAC">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">RBAC</span><span class="w"> </span><span class="py">controls</span><span class="w"> </span><span class="py">CAN</span><span class="w"> </span><span class="py">you</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">the</span><span class="w"> </span><span class="py">label</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">controls</span><span class="w"> </span><span class="py">WHICH</span><span class="w"> </span><span class="py">rows</span><span class="w"> </span><span class="py">you</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">see</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">analyst_region</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">region</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">region</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Both</span><span class="w"> </span><span class="py">must</span><span class="w"> </span><span class="py">pass</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="rls-with-property-level-security" class="position-relative d-flex align-items-center group">
<span>RLS with Property-Level Security</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="rls-with-property-level-security"
aria-haspopup="dialog"
aria-label="Share link: RLS with Property-Level Security">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">filters</span><span class="w"> </span><span class="py">rows</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_filter</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Property</span><span class="w"> </span><span class="py">security</span><span class="w"> </span><span class="py">hides</span><span class="w"> </span><span class="py">columns</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">SELECT</span><span class="p">(</span><span class="py">ssn</span><span class="p">,</span><span class="w"> </span><span class="py">credit_score</span><span class="p">)</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Result</span><span class="p">:</span><span class="w"> </span><span class="nc">Analyst</span><span class="w"> </span><span class="py">sees</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">tenant</span><span class="w"> </span><span class="py">customers</span><span class="p">,</span><span class="w"> </span><span class="py">without</span><span class="w"> </span><span class="py">sensitive</span><span class="w"> </span><span class="py">fields</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="best-practices" class="position-relative d-flex align-items-center group">
<span>Best Practices</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="best-practices"
aria-haspopup="dialog"
aria-label="Share link: Best Practices">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="1-always-use-indexes" class="position-relative d-flex align-items-center group">
<span>1. Always Use Indexes</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="1-always-use-indexes"
aria-haspopup="dialog"
aria-label="Share link: 1. Always Use Indexes">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">indexes</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">predicate</span><span class="w"> </span><span class="py">columns</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">INDEX</span><span class="w"> </span><span class="py">tenant_idx</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="p">(</span><span class="py">tenant_id</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Dramatically</span><span class="w"> </span><span class="py">improves</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">performance</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="2-keep-policies-simple" class="position-relative d-flex align-items-center group">
<span>2. Keep Policies Simple</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="2-keep-policies-simple"
aria-haspopup="dialog"
aria-label="Share link: 2. Keep Policies Simple">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Simple</span><span class="w"> </span><span class="py">policies</span><span class="w"> </span><span class="py">are</span><span class="w"> </span><span class="py">faster</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">easier</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">audit</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">simple_tenant</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Avoid</span><span class="w"> </span><span class="py">complex</span><span class="w"> </span><span class="py">nested</span><span class="w"> </span><span class="py">subqueries</span><span class="w"> </span><span class="py">when</span><span class="w"> </span><span class="py">possible</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="3-test-thoroughly" class="position-relative d-flex align-items-center group">
<span>3. Test Thoroughly</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="3-test-thoroughly"
aria-haspopup="dialog"
aria-label="Share link: 3. Test Thoroughly">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Test</span><span class="w"> </span><span class="py">positive</span><span class="w"> </span><span class="py">cases</span><span class="w"> </span><span class="p">(</span><span class="py">should</span><span class="w"> </span><span class="py">see</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Test</span><span class="w"> </span><span class="py">negative</span><span class="w"> </span><span class="py">cases</span><span class="w"> </span><span class="p">(</span><span class="py">should</span><span class="w"> </span><span class="py">NOT</span><span class="w"> </span><span class="py">see</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Test</span><span class="w"> </span><span class="py">edge</span><span class="w"> </span><span class="py">cases</span><span class="w"> </span><span class="p">(</span><span class="py">null</span><span class="w"> </span><span class="py">values</span><span class="p">,</span><span class="w"> </span><span class="py">missing</span><span class="w"> </span><span class="py">properties</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Test</span><span class="w"> </span><span class="py">performance</span><span class="w"> </span><span class="py">under</span><span class="w"> </span><span class="py">load</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="4-document-policies" class="position-relative d-flex align-items-center group">
<span>4. Document Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="4-document-policies"
aria-haspopup="dialog"
aria-label="Share link: 4. Document Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Use</span><span class="w"> </span><span class="py">descriptive</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span><span class="py">names</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation_for_compliance</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">application</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Maintain</span><span class="w"> </span><span class="py">external</span><span class="w"> </span><span class="py">documentation</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">complex</span><span class="w"> </span><span class="py">policies</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="5-regular-audits" class="position-relative d-flex align-items-center group">
<span>5. Regular Audits</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="5-regular-audits"
aria-haspopup="dialog"
aria-label="Share link: 5. Regular Audits">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Periodically</span><span class="w"> </span><span class="py">verify</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">effectiveness</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">bypass</span><span class="w"> </span><span class="py">grants</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Review</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span><span class="py">predicates</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Test</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">sample</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">contexts</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="related-topics" class="position-relative d-flex align-items-center group">
<span>Related Topics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="related-topics"
aria-haspopup="dialog"
aria-label="Share link: Related Topics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/tags/authorization/"
>Authorization</a>
- Access control overview</li>
<li><a
href="/tags/rbac/"
>RBAC</a>
- Role-based access control</li>
<li><a
href="/tags/authentication/"
>Authentication</a>
- Identity verification</li>
<li><a
href="/tags/audit-logging/"
>Audit Logging</a>
- Security event tracking</li>
<li><a
href="/tags/compliance/"
>Compliance</a>
- Regulatory requirements</li>
<li><a
href="/tags/multi-tenancy/"
>Multi-Tenancy</a>
- Tenant isolation patterns</li>
</ul>
<h3 id="further-reading" class="position-relative d-flex align-items-center group">
<span>Further Reading</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="further-reading"
aria-haspopup="dialog"
aria-label="Share link: Further Reading">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/docs/architecture/security-architecture/"
>Security Architecture</a>
- Security design</li>
<li><a
href="/docs/security/authorization/"
>Authorization Guide</a>
- Complete authorization</li>
<li><a
href="/docs/performance/"
>Performance Tuning</a>
- RLS performance optimization</li>
<li>Multi-Tenant Design Patterns - Tenant isolation strategies</li>
</ul>
Tag
1 article
Row-Level Security (RLS)
Complete guide to Row-Level Security in Geode. Learn how to implement fine-grained access control policies that filter data at the row level based on user context, tenant isolation, and business rules.