Skip to main content
Version: 9.2

Record Level Security

Record-level security (also called "Row-level security" or simply "RLS") lets you restrict access to individual rows so that each user sees only the data they are authorized to view. Instead of maintaining separate datasets per tenant, you can load all records into a single dataset and have Qrvey automatically filter rows for every user.

How to Configure RLS

To configure RLS, follow these steps:

  1. Configure the RLS column on a dataset in Qrvey Composer.
  2. For each tenant end-user, configure RLS permissions as needed.
  3. Generate a Widget Security Token and pass in the configured permissions.
  4. Pass the generated token into in the widget config's qvToken parameter to complete widget authentication.

Points to Remember:

  • If the qvToken is missing, widgets will display “No data found” for secured datasets.
  • Once RLS columns are configured on a dataset, every user accessing charts based on that dataset must have the appropriate security token permissions.
  • For custom authentication, where you manage user logins and data, use backend authentication to call the Qrvey API and generate a security token.
  • Security names map user permissions to dataset columns. You can assign any name to an RLS column except the original column name. Use the security name when defining user permissions.
  • After saving a security name, a security icon will identify the dataset’s security columns.
  • You can define multiple security columns per dataset. All defined security columns must be included in the user’s security token.
  • If a security column is missing from the user’s token, access to related data will be restricted, and charts may not render as expected.
  • Defining security columns is optional. Only datasets with defined security columns require a security token; unsecured datasets do not.
  • Qrvey requests the user’s security token only when accessing secured datasets.

For a deeper dive into RLS, please see the Row Level Security guide.

RLS permissions Schema

The permissions parameter defines user permissions for accessing specific records within datasets.

Attribute Definitions

  • permissionsArray<Object>Required – Each object defines RLS permissions for a given dataset.

    • dataset_idString || Array<String>Required – Id of dataset to apply RLS to. Use * to match all datasets.

    • operatorString ("AND" || "OR")Optional – Defaults to AND. Determines how to combine record_permissions.

    • record_permissionsArray<Object>Required – List of record filter objects specifying the permitted values and/or value ranges for each dataset column where an RLS security group is defined.

      • security_nameStringRequired – Name of the security group defined for the dataset column.

      • validation_typeStringOptional – Determines how to evaluate the values. Defaults to EQUAL.
        Options:
        EQUAL, NOT_EQUAL, CONTAIN, NOT_CONTAIN, RANGE, NOT_RANGE, BETWEEN, DATE,
        GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL,
        START_WITH, NOT_START_WITH, END_WITH, NOT_END_WITH, IS_EMPTY, IS_NOT_EMPTY.

      • valuesArray<String>Required – List of permitted values. If set to EQUAL, use * for unrestricted access.

      • group_valueStringOptional – For date columns only. Defaults to DAY.
        Options:
        SECOND, MINUTE, HOUR, DAY, WEEK, MONTH, QUARTER, YEAR, etc...

Example

const config = {
  // ... Top-level of qvToken config.
  "permissions": [
    {
      "dataset_id": "dataset1",
      "operator": "OR",
      "record_permissions": [
        {
          "security_name": "MyDateSecurityName",
          "validation_type": "RANGE",
          "group_value": "month",
          "values": [
            {
              "gte": "Jun 2020",
              "lte": "Dec 2020"
            }
          ]
        }
      ]
    }
  ]
}