Add Row-Level Security

Use Row-Level Security to restrict a user's visibility to individual rows (records) within a dataset based on user attributes. This keeps sensitive data hidden and reduces the need to maintain separate datasets for each group.

Overview

This guide explains how to apply Record-Level Security (RLS) in Qrvey dashboards and datasets so that each user only sees the data they are authorized to access.

You can set up Row-Level Security using the following Qrvey features:

• Composer: You can enable Row-Level Security on specific dataset columns (tenant_id, country) and assign a security name to each column. These filters automatically apply when the widget loads.
• Backend Token Generation: Create a qvToken and add filters to specify which values each user can access under that security name. These filters automatically apply when a dashboard or widget loads. For more information, see Qrvey Security Token Authentication

You can add Row-Level Security for user attributes such as region, tenant, department, or role. By implementing this data-access mechanism, each user or group only sees the records assigned to them.

Note: Row-Level Security does not apply while working in Composer mode. All records are visible to builders for configuration purposes.

By the end of this guide, you will be able to:

• Enable row-level security in Qrvey Composer.
• Set up user-specific filters in your qvToken.

Use Case

A company dataset contains all global sales data.

• User A should only view data for Germany.
• User B should only view data for Mexico.

After applying Row-Level Security, both users can access the same dashboard, but see only their respective data.

Before You Begin

Before implementing Row-Level Security, you should review how authentication tokens (qvToken) work in embedded widgets. In addition, obtain the following items, permissions, and access.

• Loaded dataset available in your Qrvey environment.
• Access to Qrvey Composer and permission to modify datasets.
• Your application must be able to generate tokens securely on the backend.

Implementation

1. Enable Row-Level Security for a Dataset.

   a. Log into Qrvey Composer.

   b. Open a dataset. In the dataset Design view (column settings), select Enable Record Level Security.

   c. Enable Row-Level Security for one or more columns (for example, tenant_id or country). Assign a Security Name for that column. This value is referenced by your backend.

   d. Assign a Security Name for that column. This value is referenced by your backend.

   e. Select Apply Changes to save your configuration.

2. Set up authentication and token generation for your widget to enforce record-level security at runtime.

   • Your backend service generates a secure qvToken using the Qrvey API.

   • Include a record_permissions section that defines what values the user is allowed to see. For example:

     "permissions": [
         {
         "dataset_id": "pduijuujs",
         "record_permissions": [
             {
             "security_name": "tenant_id",
           
               "values": [1, 8]
             },
             {
             "security_name": "country",
           
             "values": ["Germany", "Mexico"]
             }
             ]
         }
     ]

   • Pass the token to your front end and attach it to the widget configuration.

   For more information, see Qrvey Security Token Authentication.

3. Embed the Dashboard.

   a. In your web application, embed the Qrvey dashboard widget.

   b. Pass the qvToken in the configuration object:

   qvToken: <your_generated_token>.

   When the dashboard loads, Qrvey automatically applies the RLS filters, ensuring the user only sees their authorized data.

Troubleshooting

The following table displays common issues encountered when setting up row-level security and steps used to resolve them.

Issue	Cause	Solution
Dashboard shows 'No data found'.	The Row-Level Security filters in the token don’t match any dataset rows.	Verify that the security_name and filter values exactly match those configured in the dataset. Verify that the column values exist in the dataset, and that your qvToken uses the correct dataset ID.
Dashboard shows all data (no filtering).	Row-Level Security wasn’t fully applied because the dataset changes weren’t saved, or filters are missing from the token.	1. After enabling Row-Level Security on your dataset in Composer, select Apply Changes. This step saves the security configuration. 2. Confirm that your qvToken includes the correct record_permissions filters for the secured columns.
Changes not taking effect.	Cached token or outdated embed configuration.	- Regenerate a new token and perform a hard reload in your app. - Clear the browser cache to ensure the latest dataset and token configurations are loaded.
Error or unexpected data visibility	Incorrect security_name spelling, or mismatch between dataset and backend configuration.	The security name defined in Composer (case-sensitive) must match the one used in your backend token generation. Review both configurations for errors or differences in casing.

Best Practices

• Generate the qvToken on the backend for security.
• Keep security names consistent between dataset and backend definitions.
• Use the * wildcard with caution. This wildcard grants unrestricted access.
• Before deploying, test Row-Level Security with different user profiles.
• Avoid creating multiple datasets for each user or tenant.

Additional Resources

• Row-Level Security
• Dashboard Widget