Row-Level Security

Row-Level Security (RLS) is a database feature that controls access to individual rows in a table based on the characteristics of the user or application executing a query. Instead of granting access to entire tables, RLS policies define which rows a given user can read, insert, update, or delete. The database engine enforces these policies transparently on every query, regardless of how the application code is written.

RLS is available in PostgreSQL, SQL Server, Oracle, and other major database systems. It operates below the application layer, meaning a bug in application code cannot accidentally expose rows that the database policy restricts.

Multi-tenant applications, where multiple customers share the same database, face a critical isolation challenge. If a query accidentally omits a WHERE clause filtering on tenant ID, one customer could see another's data. This is not a theoretical risk; tenant data leaks are among the most common security incidents in SaaS products.

Application-level access controls (adding WHERE tenant_id = X to every query) depend on developers never making a mistake. RLS moves that enforcement to the database itself. Even if application code runs a query without a tenant filter, the database policy ensures only the correct rows are returned. This defense-in-depth approach is significantly more resilient than relying on application logic alone.

In practice, RLS works by attaching policies to tables. A policy defines a boolean expression that must evaluate to true for a row to be visible. For a multi-tenant application, the policy typically checks that the row's organization ID matches a session variable set during connection initialization.

RLS complements RBAC but operates at a different level. RBAC controls what actions a user can perform (read, write, delete). RLS controls which data those actions apply to. Together, they ensure that a user with "read" permission can only read their own organization's data, not every organization's data. This combination is essential for any platform that handles sensitive data from multiple customers.