Skip to main content

RLS Examples

plan support

Data Security is only available in Enterprise Plan and above

This page provides five diverse Row-Level Security examples. Each example includes:

  • A description of the use case
  • The session properties it requires
  • The policy condition
  • A rough table schema
  • An example query before RLS
  • The compiled query after applying session properties

1. Organization isolation (multi-tenant)

Ensures that each customer (organization) can only view their own data. This is the most common multi-tenant isolation scenario.

Session properties

  • @user_org_id (string)

Condition

-- org_id is the column name in the table
-- @user_org_id is the session property name
org_id = @user_org_id

Table schema

orders(
  id INT,
  org_id STRING,
  amount NUMBER
)

Example query

SELECT * FROM orders;

Compiled query (with @user_org_id = 'org_123')

SELECT * FROM orders WHERE org_id = 'org_123';

2. Owner access

Restricts rows to those owned by the user. For example, sales reps only see deals they personally own.

Session properties

  • @user_id (string)

Condition

-- owner_user_id is the column name in the table
-- @user_id is the session property name
owner_user_id = @user_id

Table schema

deals(
  id INT,
  owner_user_id STRING,
  value NUMBER
)

Example query

SELECT * FROM deals;

Compiled query (with @user_id = 'u_42')

SELECT * FROM deals WHERE owner_user_id = 'u_42';

3. Team membership access

Allows access if the user owns the row or belongs to a team that has access. Useful when teams share responsibility for certain data (e.g., a support ticket queue).

Session properties

  • @team_ids (string) — comma-separated list of team IDs
  • @user_id (string)

Condition

-- owner_user_id and team_id are the column names in the table
-- @user_id is the session property name
owner_user_id = @user_id
OR team_id IN (SELECT value FROM SPLIT(@team_ids, ','))

Table schema

tickets(
  id INT,
  owner_user_id STRING,
  team_id STRING,
  subject STRING
)

Example query

SELECT * FROM tickets;

Compiled query (with @user_id = 'u_42', @team_ids = 't1,t2')

SELECT * FROM tickets
WHERE owner_user_id = 'u_42'
   OR team_id IN (SELECT value FROM SPLIT('t1,t2', ','));

4. Region allow-list

Restricts access to rows belonging to specific regions. Common in global organizations where regional managers only see data for their assigned territories.

Session properties

  • @region_ids (string) — comma-separated list of regions

Condition

-- region_id is the column name in the table
-- @region_ids is the session property name
region_id IN (SELECT value FROM SPLIT(@region_ids, ','))

Table schema

customers(
  id INT,
  name STRING,
  region_id STRING
)

Example query

SELECT * FROM customers;

Compiled query (with @region_ids = 'US,CA')

SELECT * FROM customers
WHERE region_id IN (SELECT value FROM SPLIT('US,CA', ','));

5. RBAC-driven access

Grants access based on assigned roles. Rows tagged with required_role are only visible if the user holds that role (e.g., finance data visible only to FINANCE_ANALYST).

Session properties

  • @role_ids (string) — comma-separated list of role names

Condition

-- required_role is the column name in the table
-- @role_ids is the session property name
required_role IN (SELECT value FROM SPLIT(@role_ids, ','))

Table schema

reports(
  id INT,
  report_name STRING,
  required_role STRING
)

Example query

SELECT * FROM reports;

Compiled query (with @role_ids = 'FINANCE_ANALYST,HR_ADMIN')

SELECT * FROM reports
WHERE required_role IN (SELECT value FROM SPLIT('FINANCE_ANALYST,HR_ADMIN', ','));