Skip to main content

Row-Level Security (RLS)

plan support

Data Security is only available in Enterprise Plan and above

Row-Level Security ensures that users only see the rows they are authorized to view. This supports data isolation, privacy, multi-tenant environments, and least-privilege access.

How RLS Works

how it works

RLS makes the same query return different rows for different users, based on their identity and assigned permissions.

What you define

  • Applied models: The tables or models where the policy is enforced. A single policy can cover multiple models.
  • Policy condition: A condition evaluated against session properties to filter rows.
  • Session properties: User context values (e.g., user ID, organization, regions, roles). Properties can be required, or optional with default values.

What happens at runtime

  1. A user asks a question or generates a chart in WrenAI.
  2. WrenAI collects the user’s session properties.
  3. WrenAI attaches the policy condition to the query.
  4. WrenAI compiles dialect-specific SQL and sends it to your data source.
  5. The query returns only rows that satisfy the condition for that user.

Defining a Policy

1. Go to the policy page

Navigate to: Data Security → Row-Level Security → Add Policy

add a policy

Enter a policy name and select the models to which the policy will apply.

2. Choose session properties

Select from existing session properties, or create a new one. These will be used in the policy condition.

add session prop

You can define session properties as required or optional (with a default value).

session prop default value

  • Required: Users missing this property will see errors when querying the applied models.
  • Optional: If a user lacks the property, the default value will be used.

3. Define the policy condition

define policy condition

The condition is written like a SQL predicate. Session properties are referenced with the @ prefix.

Example: Allow a user to view only rows where org_id matches their organization ID:

org_id = @user_org_id

4. Preview with a simulated session context

After defining the policy, preview it with simulated session properties to confirm the expected results.

  1. Select a model or a recent question.
  2. Set session property values.
  3. Click Preview to view filtered results.

set session prop

You could set session properties for preview. Choose "Set to null" if you want to test the policy with a null value.

preview

Click "Preview" to see the results.

5. Save the policy

Click Save to create the policy.

Notice

Remember to deploy the models after creating a policy.

6. Assign session properties to users or groups

To apply a policy to specific users or groups, assign session properties accordingly.

Navigate to: Data Security → Session Properties

Switch to Assign to users or Assign to groups, then select targets and edit property values.

session-prop-assign-to-user assign to users form

Click Edit on a user to modify their assigned session properties.

7. Verify the policy

Return to Home, start a new thread, and ask a question.
The result set will now be filtered according to the policy.

rls result

Results only include rows that satisfy the policy condition.

Next

Check out the RLS Examples to see how to use RLS in practice.