# Row Level Security

In addition to database access permissions available through ROLE and GRANT privilege system, YugabyteDB provides a more granular level security where tables can have row security policies that restrict rows users can access.

Row-level security (RLS) restricts rows that can be returned by normal queries or inserted, updated, or deleted by DML commands. RLS policies can be created specific to a DML command or with ALL commands. They can also be used to create policies on a particular role or multiple roles.

To start, connect to your yugabyteDB instance


In [None]:
./ysqlsh

To demonstrate row level security, you will create a test table with some data. The test table will be a table of employee data.

In [None]:
create table employees ( empno int, ename text, address text, salary int,
                         account_number text );

insert into employees values (1, 'joe', '56 grove st',  20000, 'AC-22001' );
insert into employees values (2, 'mike', '129 81 st',  80000, 'AC-48901' );
insert into employees values (3, 'julia', '1 finite loop',  40000, 'AC-77051');

Next, create three users, one for each of the employees added to the employees table.

In [None]:
create role joe login password 'yourpasswordhere';
grant select on employees to joe;

create role mike login password 'yourpasswordhere';
grant select on employees to mike;

create role julia login password 'yourpasswordhere';
grant select on employees to julia;

You are going to create a row level security policy that limits what each of the roles can see in the table. To achieve this, you will use a create policy query.

In [None]:
create policy emp_rls_policy on employees for all to public using (
           ename=current_user);

The name of the created policy is emp_rls_policy. This policy is being applied to the employees table for all of the DDL commands. The public keyword indicates that this rule applies to all roles in the database. The policy will automatically filter the data so that the data shown is only the rows where the ename field matches the name of the current role.

To verify that this works correctly, connect to the database as one of the created roles and attempt to query the employees table.

In [None]:
\c testdb joe;
select * from employees;