<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-15 -->
<p>Row-Level Security (RLS) in Geode provides fine-grained access control at the node and relationship level, allowing you to restrict which graph elements users can access based on flexible policy rules. This is essential for multi-tenant applications, data privacy compliance, and protecting sensitive information within shared graph databases.</p>
<h3 id="understanding-row-level-security" class="position-relative d-flex align-items-center group">
<span>Understanding Row-Level Security</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="understanding-row-level-security"
aria-haspopup="dialog"
aria-label="Share link: Understanding Row-Level Security">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script><p>Traditional database access control operates at the table or column level, granting or denying access to entire datasets. Row-Level Security goes further by controlling access to individual rows (in Geode’s case, nodes and relationships) based on the context of the query and the user executing it.</p>
<p>In graph databases, RLS enables:</p>
<ul>
<li><strong>Multi-tenant isolation</strong>: Different customers see only their data</li>
<li><strong>Data compartmentalization</strong>: Users access only data relevant to their role</li>
<li><strong>Privacy compliance</strong>: Automatic filtering of sensitive information</li>
<li><strong>Hierarchical access</strong>: Organizational structures reflected in data access</li>
<li><strong>Attribute-based access</strong>: Access based on node properties and relationships</li>
</ul>
<h3 id="rls-policy-basics" class="position-relative d-flex align-items-center group">
<span>RLS Policy Basics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="rls-policy-basics"
aria-haspopup="dialog"
aria-label="Share link: RLS Policy Basics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>RLS policies in Geode consist of:</p>
<ul>
<li><strong>Target</strong>: The node labels or relationship types the policy applies to</li>
<li><strong>Operation</strong>: SELECT, INSERT, UPDATE, or DELETE</li>
<li><strong>Role</strong>: Which users/roles the policy applies to</li>
<li><strong>Condition</strong>: A GQL expression that determines access</li>
</ul>
<h4 id="creating-basic-policies" class="position-relative d-flex align-items-center group">
<span>Creating Basic Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="creating-basic-policies"
aria-haspopup="dialog"
aria-label="Share link: Creating Basic Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Only</span><span class="w"> </span><span class="py">allow</span><span class="w"> </span><span class="py">users</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">own</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">user_isolation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Person</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">authenticated_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">person_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Allow</span><span class="w"> </span><span class="py">managers</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">team</span><span class="err">'</span><span class="py">s</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">manager_team_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">manager</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">manager_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Allow</span><span class="w"> </span><span class="py">admins</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">everything</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">admin_full_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Person</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">admin</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">true</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="policy-evaluation" class="position-relative d-flex align-items-center group">
<span>Policy Evaluation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="policy-evaluation"
aria-haspopup="dialog"
aria-label="Share link: Policy Evaluation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>When a query executes, Geode:</p>
<ol>
<li>Identifies the user’s roles</li>
<li>Finds all applicable RLS policies</li>
<li>Combines policy conditions with AND logic for restrictive policies</li>
<li>Combines policy conditions with OR logic for permissive policies</li>
<li>Automatically adds conditions to query WHERE clauses</li>
</ol>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">executes</span><span class="w"> </span><span class="py">this</span><span class="w"> </span><span class="kd">query</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nc">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">p</span><span class="p">:</span><span class="nc">Person</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">email</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">With</span><span class="w"> </span><span class="py">user_isolation</span><span class="w"> </span><span class="py">policy</span><span class="p">,</span><span class="w"> </span><span class="py">Geode</span><span class="w"> </span><span class="py">executes</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">p</span><span class="p">:</span><span class="nc">Person</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">person_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="p">()</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Automatically</span><span class="w"> </span><span class="py">added</span><span class="w"> </span><span class="py">by</span><span class="w"> </span><span class="py">RLS</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">email</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="multi-tenant-applications" class="position-relative d-flex align-items-center group">
<span>Multi-Tenant Applications</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="multi-tenant-applications"
aria-haspopup="dialog"
aria-label="Share link: Multi-Tenant Applications">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>RLS is ideal for SaaS applications serving multiple customers:</p>
<h4 id="tenant-isolation" class="position-relative d-flex align-items-center group">
<span>Tenant Isolation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="tenant-isolation"
aria-haspopup="dialog"
aria-label="Share link: Tenant Isolation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">tenant</span><span class="w"> </span><span class="py">isolation</span><span class="w"> </span><span class="py">policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">)</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Applies</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">node</span><span class="w"> </span><span class="kd">type</span><span class="nc">s</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">tenant_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="err">.</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Optionally</span><span class="p">,</span><span class="w"> </span><span class="py">restrict</span><span class="w"> </span><span class="py">at</span><span class="w"> </span><span class="py">relationship</span><span class="w"> </span><span class="py">level</span><span class="w"> </span><span class="py">too</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_relationship_isolation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">()</span><span class="err">-</span><span class="p">[</span><span class="py">r</span><span class="p">]</span><span class="err">-</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">tenant_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">start_node</span><span class="p">(</span><span class="py">r</span><span class="p">)</span><span class="err">.</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant_id</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">end_node</span><span class="p">(</span><span class="py">r</span><span class="p">)</span><span class="err">.</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p>Every node includes a <code>tenant_id</code> property:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">customer</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">tenant</span><span class="w"> </span><span class="py">ID</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="p">(:</span><span class="nc">Customer</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">name</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">Acme</span><span class="w"> </span><span class="py">Corp</span><span class="err">'</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">tenant_id</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">tenant_123</span><span class="err">'</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">email</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">contact</span><span class="nd">@acme</span><span class="err">.</span><span class="py">com</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">})</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">tenant_123</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">this</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Users</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">other</span><span class="w"> </span><span class="py">tenants</span><span class="w"> </span><span class="py">cannot</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="shared-reference-data" class="position-relative d-flex align-items-center group">
<span>Shared Reference Data</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="shared-reference-data"
aria-haspopup="dialog"
aria-label="Share link: Shared Reference Data">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Some data may be shared across tenants:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Allow</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">tenants</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">shared</span><span class="w"> </span><span class="py">reference</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">shared_data_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">ReferenceData</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">tenant_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">is_shared</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">shared</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="p">(:</span><span class="nc">ReferenceData</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="kd">type</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">country</span><span class="err">'</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nc">name</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">United</span><span class="w"> </span><span class="py">States</span><span class="err">'</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">is_shared</span><span class="p">:</span><span class="w"> </span><span class="nc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">})</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="hierarchical-access-control" class="position-relative d-flex align-items-center group">
<span>Hierarchical Access Control</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="hierarchical-access-control"
aria-haspopup="dialog"
aria-label="Share link: Hierarchical Access Control">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Model organizational hierarchies with RLS:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Employees</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">own</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">employee_self_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">employee_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Managers</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">direct</span><span class="w"> </span><span class="py">reports</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">manager_reports_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">manager</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">manager_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">employee_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Directors</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">entire</span><span class="w"> </span><span class="py">department</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">director_department_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">director</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">department</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">get_managed_departments</span><span class="p">(</span><span class="py">current_user</span><span class="p">())</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">employee_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Executives</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">everything</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">executive_all_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">executive</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">true</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="graph-based-hierarchy" class="position-relative d-flex align-items-center group">
<span>Graph-Based Hierarchy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="graph-based-hierarchy"
aria-haspopup="dialog"
aria-label="Share link: Graph-Based Hierarchy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Use the graph structure itself for hierarchical access:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Access</span><span class="w"> </span><span class="py">based</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">organizational</span><span class="w"> </span><span class="py">graph</span><span class="w"> </span><span class="py">structure</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">org_hierarchy_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">EXISTS</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="py">path</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">(</span><span class="py">current</span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span><span class="p">{</span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nc">current_user</span><span class="p">()})</span><span class="err">-</span><span class="p">[:</span><span class="nc">MANAGES</span><span class="err">*</span><span class="py">0</span><span class="err">..</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">e</span><span class="p">:</span><span class="nc">Employee</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">e</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">this</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="err">'</span><span class="py">this</span><span class="err">'</span><span class="w"> </span><span class="py">refers</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">the</span><span class="w"> </span><span class="py">current</span><span class="w"> </span><span class="py">Employee</span><span class="w"> </span><span class="py">node</span><span class="w"> </span><span class="py">being</span><span class="w"> </span><span class="py">checked</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="attribute-based-access-control" class="position-relative d-flex align-items-center group">
<span>Attribute-Based Access Control</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="attribute-based-access-control"
aria-haspopup="dialog"
aria-label="Share link: Attribute-Based Access Control">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Define access based on node properties:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Access</span><span class="w"> </span><span class="py">based</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">security</span><span class="w"> </span><span class="py">clearance</span><span class="w"> </span><span class="py">level</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">clearance_based_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Document</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">required_clearance</span><span class="w"> </span><span class="err"><</span><span class="p">=</span><span class="w"> </span><span class="py">get_user_clearance</span><span class="p">(</span><span class="py">current_user</span><span class="p">())</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Access</span><span class="w"> </span><span class="py">based</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">classification</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">classification_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">DataAsset</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">classification</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="p">[</span><span class="err">'</span><span class="py">public</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">internal</span><span class="err">'</span><span class="p">]</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="p">(</span><span class="py">classification</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">confidential</span><span class="err">'</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">user_has_approval</span><span class="p">(</span><span class="py">current_user</span><span class="p">(),</span><span class="w"> </span><span class="py">this</span><span class="err">.</span><span class="py">id</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Time</span><span class="err">-</span><span class="py">based</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">time_limited_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">TemporaryData</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">valid_from</span><span class="w"> </span><span class="err"><</span><span class="p">=</span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">valid_until</span><span class="w"> </span><span class="err">></span><span class="p">=</span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="column-level-security-with-rls" class="position-relative d-flex align-items-center group">
<span>Column-Level Security with RLS</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="column-level-security-with-rls"
aria-haspopup="dialog"
aria-label="Share link: Column-Level Security with RLS">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Restrict access to specific properties:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Policy</span><span class="w"> </span><span class="py">that</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">exposes</span><span class="w"> </span><span class="py">certain</span><span class="w"> </span><span class="py">properties</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">employee_limited_view</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">public</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">COLUMNS</span><span class="w"> </span><span class="p">(</span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">title</span><span class="p">,</span><span class="w"> </span><span class="py">department</span><span class="p">,</span><span class="w"> </span><span class="py">email</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">is_public_directory_enabled</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Sensitive</span><span class="w"> </span><span class="py">properties</span><span class="w"> </span><span class="py">like</span><span class="w"> </span><span class="py">salary</span><span class="w"> </span><span class="py">not</span><span class="w"> </span><span class="py">included</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">e</span><span class="p">:</span><span class="nc">Employee</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">e</span><span class="err">.</span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">e</span><span class="err">.</span><span class="py">salary</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">salary</span><span class="w"> </span><span class="py">is</span><span class="w"> </span><span class="py">NULL</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">public</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="conditional-insertupdate-policies" class="position-relative d-flex align-items-center group">
<span>Conditional Insert/Update Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="conditional-insertupdate-policies"
aria-haspopup="dialog"
aria-label="Share link: Conditional Insert/Update Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Control data modifications with RLS:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Users</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">insert</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">tenant</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_insert_restriction</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">INSERT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">tenant_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="err">.</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Users</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">update</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">own</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">self_update_only</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Person</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">UPDATE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">authenticated_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">person_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Prevent</span><span class="w"> </span><span class="py">deletion</span><span class="w"> </span><span class="py">of</span><span class="w"> </span><span class="py">archived</span><span class="w"> </span><span class="py">records</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">prevent_archive_deletion</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Record</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">DELETE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">status</span><span class="w"> </span><span class="p">!=</span><span class="w"> </span><span class="err">'</span><span class="py">archived</span><span class="err">'</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="policy-functions" class="position-relative d-flex align-items-center group">
<span>Policy Functions</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="policy-functions"
aria-haspopup="dialog"
aria-label="Share link: Policy Functions">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Create reusable functions for complex policies:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Define</span><span class="w"> </span><span class="py">helper</span><span class="w"> </span><span class="py">function</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">FUNCTION</span><span class="w"> </span><span class="py">is_accessible_to_user</span><span class="p">(</span><span class="py">node_id</span><span class="w"> </span><span class="py">STRING</span><span class="p">,</span><span class="w"> </span><span class="py">user_id</span><span class="w"> </span><span class="py">STRING</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURNS</span><span class="w"> </span><span class="py">BOOLEAN</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">AS</span><span class="w"> </span><span class="err">$$</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="p">{</span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nv">$user_id</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nc">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="w"> </span><span class="p">{</span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nv">$node_id</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nc">RETURN</span><span class="w"> </span><span class="py">EXISTS</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">HAS_ACCESS</span><span class="p">|</span><span class="py">MANAGES</span><span class="err">*</span><span class="py">1</span><span class="err">.</span><span class="mf">.3</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">n</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">$$;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Use</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">complex_access_policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Document</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">is_accessible_to_user</span><span class="p">(</span><span class="py">this</span><span class="err">.</span><span class="py">id</span><span class="p">,</span><span class="w"> </span><span class="py">current_user</span><span class="p">()))</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="performance-optimization" class="position-relative d-flex align-items-center group">
<span>Performance Optimization</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="performance-optimization"
aria-haspopup="dialog"
aria-label="Share link: Performance Optimization">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>RLS policies can impact query performance if not carefully designed:</p>
<h4 id="index-filtered-properties" class="position-relative d-flex align-items-center group">
<span>Index Filtered Properties</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="index-filtered-properties"
aria-haspopup="dialog"
aria-label="Share link: Index Filtered Properties">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">index</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">frequently</span><span class="w"> </span><span class="py">filtered</span><span class="w"> </span><span class="py">property</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">INDEX</span><span class="w"> </span><span class="py">tenant_id_index</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">)</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="err">.</span><span class="py">tenant_id</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Policy</span><span class="w"> </span><span class="py">uses</span><span class="w"> </span><span class="py">indexed</span><span class="w"> </span><span class="py">property</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">tenant_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="err">.</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant_id</span><span class="p">())</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Uses</span><span class="w"> </span><span class="py">index</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="avoid-complex-subqueries" class="position-relative d-flex align-items-center group">
<span>Avoid Complex Subqueries</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="avoid-complex-subqueries"
aria-haspopup="dialog"
aria-label="Share link: Avoid Complex Subqueries">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Inefficient</span><span class="p">:</span><span class="w"> </span><span class="nc">Complex</span><span class="w"> </span><span class="py">EXISTS</span><span class="w"> </span><span class="py">subquery</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">every</span><span class="w"> </span><span class="py">node</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">slow_policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Document</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">EXISTS</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="p">{</span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nc">current_user</span><span class="p">()})</span><span class="err">-</span><span class="p">[:</span><span class="nc">BELONGS_TO</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">g</span><span class="p">:</span><span class="nc">Group</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">CAN_ACCESS</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">this</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">More</span><span class="w"> </span><span class="py">efficient</span><span class="p">:</span><span class="w"> </span><span class="nc">Pre</span><span class="err">-</span><span class="py">compute</span><span class="w"> </span><span class="py">accessible</span><span class="w"> </span><span class="py">documents</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">fast_policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Document</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">this</span><span class="err">.</span><span class="py">id</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">get_accessible_documents</span><span class="p">(</span><span class="py">current_user</span><span class="p">())</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Cached</span><span class="w"> </span><span class="py">function</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="policy-caching" class="position-relative d-flex align-items-center group">
<span>Policy Caching</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="policy-caching"
aria-haspopup="dialog"
aria-label="Share link: Policy Caching">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Enable policy evaluation caching</span>
</span></span><span class="line"><span class="cl">geode serve --rls-cache-enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --rls-cache-size<span class="o">=</span>100MB <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --rls-cache-ttl<span class="o">=</span>300s
</span></span></code></pre></div>
<h3 id="testing-rls-policies" class="position-relative d-flex align-items-center group">
<span>Testing RLS Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="testing-rls-policies"
aria-haspopup="dialog"
aria-label="Share link: Testing RLS Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Verify policies work correctly:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Test</span><span class="w"> </span><span class="py">as</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="err">'</span><span class="py">employee</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">SESSION</span><span class="w"> </span><span class="py">current_user</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">alice</span><span class="nd">@example</span><span class="err">.</span><span class="py">com</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">e</span><span class="p">:</span><span class="nc">Employee</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">count</span><span class="p">(</span><span class="py">e</span><span class="p">)</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Should</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">accessible</span><span class="w"> </span><span class="py">employees</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Test</span><span class="w"> </span><span class="py">as</span><span class="w"> </span><span class="py">admin</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="err">'</span><span class="py">admin</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">e</span><span class="p">:</span><span class="nc">Employee</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">count</span><span class="p">(</span><span class="py">e</span><span class="p">)</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Should</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">employees</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Verify</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span><span class="py">enforcement</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">EXPLAIN</span><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">e</span><span class="p">:</span><span class="nc">Employee</span><span class="p">)</span><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">e</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Plan</span><span class="w"> </span><span class="py">should</span><span class="w"> </span><span class="py">show</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">filter</span><span class="p">:</span><span class="w"> </span><span class="nc">WHERE</span><span class="w"> </span><span class="py">e</span><span class="err">.</span><span class="py">employee_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="p">()</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="automated-policy-testing" class="position-relative d-flex align-items-center group">
<span>Automated Policy Testing</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="automated-policy-testing"
aria-haspopup="dialog"
aria-label="Share link: Automated Policy Testing">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Run RLS policy test suite</span>
</span></span><span class="line"><span class="cl">geode test-rls --policy<span class="o">=</span>employee_access <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --test-users<span class="o">=</span>alice,bob,admin <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --expected-results<span class="o">=</span>test-cases.json
</span></span></code></pre></div>
<h3 id="policy-management" class="position-relative d-flex align-items-center group">
<span>Policy Management</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="policy-management"
aria-haspopup="dialog"
aria-label="Share link: Policy Management">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="viewing-policies" class="position-relative d-flex align-items-center group">
<span>Viewing Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="viewing-policies"
aria-haspopup="dialog"
aria-label="Share link: Viewing Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">List</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">policies</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">POLICIES</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">policies</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">label</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">POLICIES</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Employee</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span><span class="py">details</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DESCRIBE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">employee_self_access</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="modifying-policies" class="position-relative d-flex align-items-center group">
<span>Modifying Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="modifying-policies"
aria-haspopup="dialog"
aria-label="Share link: Modifying Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Drop</span><span class="w"> </span><span class="py">policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DROP</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">employee_self_access</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Recreate</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">updated</span><span class="w"> </span><span class="py">condition</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">employee_self_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">employee_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="p">()</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">is_manager</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Disable</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span><span class="py">temporarily</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">employee_self_access</span><span class="w"> </span><span class="py">DISABLE</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Re</span><span class="err">-</span><span class="py">enable</span><span class="w"> </span><span class="py">policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">employee_self_access</span><span class="w"> </span><span class="py">ENABLE</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="best-practices" class="position-relative d-flex align-items-center group">
<span>Best Practices</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="best-practices"
aria-haspopup="dialog"
aria-label="Share link: Best Practices">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ol>
<li><strong>Start with deny-all</strong>: Create restrictive policies by default, then grant access</li>
<li><strong>Use indexed properties</strong>: Filter on indexed properties for performance</li>
<li><strong>Test thoroughly</strong>: Verify policies with different user roles and scenarios</li>
<li><strong>Keep policies simple</strong>: Complex policies are hard to maintain and slow to evaluate</li>
<li><strong>Document policies</strong>: Clearly document the intent and scope of each policy</li>
<li><strong>Monitor performance</strong>: Track query performance impact of RLS policies</li>
<li><strong>Use policy functions</strong>: Extract complex logic into reusable functions</li>
<li><strong>Regular audits</strong>: Periodically review and update policies</li>
<li><strong>Principle of least privilege</strong>: Grant minimum necessary access</li>
<li><strong>Combine with RBAC</strong>: Use RLS together with role-based access control</li>
</ol>
<h3 id="common-patterns" class="position-relative d-flex align-items-center group">
<span>Common Patterns</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="common-patterns"
aria-haspopup="dialog"
aria-label="Share link: Common Patterns">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="department-based-access" class="position-relative d-flex align-items-center group">
<span>Department-Based Access</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="department-based-access"
aria-haspopup="dialog"
aria-label="Share link: Department-Based Access">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">department_isolation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">department_user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">get_user_department</span><span class="p">(</span><span class="py">current_user</span><span class="p">()))</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="time-based-access" class="position-relative d-flex align-items-center group">
<span>Time-Based Access</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="time-based-access"
aria-haspopup="dialog"
aria-label="Share link: Time-Based Access">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">business_hours_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">SensitiveData</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">extract_hour</span><span class="p">(</span><span class="py">current_timestamp</span><span class="p">())</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">9</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">17</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">extract_dow</span><span class="p">(</span><span class="py">current_timestamp</span><span class="p">())</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">1</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="geographic-restrictions" class="position-relative d-flex align-items-center group">
<span>Geographic Restrictions</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="geographic-restrictions"
aria-haspopup="dialog"
aria-label="Share link: Geographic Restrictions">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">geographic_restriction</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">CustomerData</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">region</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">get_user_regions</span><span class="p">(</span><span class="py">current_user</span><span class="p">()))</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="data-owner-access" class="position-relative d-flex align-items-center group">
<span>Data Owner Access</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="data-owner-access"
aria-haspopup="dialog"
aria-label="Share link: Data Owner Access">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">owner_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Document</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">created_by</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="p">()</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">owner</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="troubleshooting" class="position-relative d-flex align-items-center group">
<span>Troubleshooting</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="troubleshooting"
aria-haspopup="dialog"
aria-label="Share link: Troubleshooting">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="policy-not-applied" class="position-relative d-flex align-items-center group">
<span>Policy Not Applied</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="policy-not-applied"
aria-haspopup="dialog"
aria-label="Share link: Policy Not Applied">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Check that:</p>
<ol>
<li>User has correct role assigned</li>
<li>Policy target matches query pattern</li>
<li>Policy is enabled: <code>SHOW POLICIES</code></li>
<li>No conflicting policies</li>
</ol>
<h4 id="performance-issues" class="position-relative d-flex align-items-center group">
<span>Performance Issues</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="performance-issues"
aria-haspopup="dialog"
aria-label="Share link: Performance Issues">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><ol>
<li>Add indexes on filtered properties</li>
<li>Simplify policy conditions</li>
<li>Use policy evaluation caching</li>
<li>Monitor with <code>EXPLAIN</code> to see added filters</li>
</ol>
<h4 id="access-denied-unexpectedly" class="position-relative d-flex align-items-center group">
<span>Access Denied Unexpectedly</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="access-denied-unexpectedly"
aria-haspopup="dialog"
aria-label="Share link: Access Denied Unexpectedly">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><ol>
<li>Review all applicable policies with <code>SHOW POLICIES</code></li>
<li>Test policy condition manually</li>
<li>Check if multiple policies conflict</li>
<li>Verify user role and session context</li>
</ol>
<h3 id="related-topics" class="position-relative d-flex align-items-center group">
<span>Related Topics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="related-topics"
aria-haspopup="dialog"
aria-label="Share link: Related Topics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/tags/compliance/"
>Compliance</a>
- Regulatory compliance with RLS</li>
<li><a
href="/tags/audit-logging/"
>Audit Logging</a>
- Track RLS policy enforcement</li>
<li><a
href="/docs/security/authentication/"
>Authentication</a>
- User authentication and identity</li>
<li><a
href="/docs/security/authorization/"
>Authorization</a>
- Role-based access control</li>
<li><a
href="/docs/performance/"
>Performance</a>
- Optimizing RLS policy performance</li>
<li><a
href="/docs/security/"
>Security Overview</a>
- Security best practices</li>
</ul>
Tag
1 article
Row-Level Security (RLS)
Complete guide to Row-Level Security in Geode. Learn how to implement fine-grained access control at the node and relationship level for multi-tenant applications and data protection.