What Is Row Level Security (RLS)?
Row Level Security (RLS) is a database feature that restricts which rows a user can access based on policies you define. It ensures users can only see and modify their own data, even if your application code has a bug.
Why this matters
When multiple users share the same database, RLS is the last line of defense preventing one user from accessing another's data. It works at the database level, so even a bug in your app code can't bypass it.
What's at stake
Without RLS, a single API bug can expose every user's data. Stop risking a data leak that could end your product — RLS makes multi-tenant data isolation automatic.
In detail.
Row Level Security (RLS) adds access control rules directly to your database tables. Instead of relying solely on your application code to filter data, the database itself enforces who can read, insert, update, or delete each row.
For example, in a Supabase project with a posts table, an RLS policy can ensure that SELECT queries only return rows where user_id matches the authenticated user. Even if your API accidentally exposes a query without a WHERE clause, RLS prevents data leakage.
RLS policies are written as SQL expressions that evaluate to true or false for each row. You can create policies for different operations (SELECT, INSERT, UPDATE, DELETE) and different roles.
Verify your data isolation is working
- Data protection readiness checks that test your RLS policies
- Badge showing your app has verified data isolation
- Log entries documenting your data protection approach for users
Keep learning.
Related guides
Related topics
Frequently asked questions.
Yes. App-level filtering is important, but RLS adds defense in depth. If a bug in your code bypasses the filter, RLS at the database level still protects user data. Think of it as a safety net.
The performance impact is minimal for most applications. RLS policies are evaluated as part of the query execution plan, similar to a WHERE clause. For apps with thousands of users, this overhead is negligible.