Row Level Security
Secure your data using Postgres Row Level Security.
When you need granular authorization rules, nothing beats Postgres's Row Level Security (RLS).
Row Level Security in Supabase#
RLS is incredibly powerful and flexible, allowing you to write complex SQL rules that fit your unique business needs. RLS can be combined with Supabase Auth for end-to-end user security from the browser to the database.
RLS is a Postgres primitive and can provide "defense in depth" to protect your data from malicious actors even when accessed through 3rd party tooling.
Policies#
Policies are Postgres's rule engine. Policies are easy to understand once you get the hang of them. Each policy is attached to a table, and the policy is executed every time a table is accessed.
You can just think of them as adding a WHERE clause to every query. For example a policy like this ...
.. would translate to this whenever a user tries to select from the todos table:
Enabling Row Level Security#
You can enable RLS for any table using the enable row level security clause:
Once you have enabled RLS, no data will be accessible via the API when using the public anon key, until you create policies.
Creating Policies#
Policies are simply SQL logic that you attach to a Postgres table. You can attach as many policies as you want to each table.
Supabase provides some helpers that simplify RLS if you're using Supabase Auth. We'll use these helpers to illustrate some basic policies:
SELECT Policies#
You can specify select policies with the using clause.
Let's say you have a table called profiles in the public schema and you want enable read access to everyone.
Alternatively, if you only wanted users to be able to see their own profiles:
INSERT Policies#
You can specify insert policies with the with check clause.
Let's say you have a table called profiles in the public schema and you only want users to be able to create a profile for themselves. In that case, we want to check their User ID matches the value that they are trying to insert:
UPDATE Policies#
You can specify update policies with the using clause.
Let's say you have a table called profiles in the public schema and you only want users to be able to update their own profile:
DELETE Policies#
You can specify delete policies with the using clause.
Let's say you have a table called profiles in the public schema and you only want users to be able to delete their own profile:
Bypassing Row Level Security#
You can create Postgres Roles which can bypass Row Level Security using the "bypass RLS" privilege:
This can be useful for system-level access. You should never share login credentials for any Postgres Role with this privilege.
RLS Performance Recommendations#
Every authorization system has an impact on performance. While row level security is powerful, the performance impact is important to keep in mind. This is especially true for queries that scan every row in a table - like many select operations, including those using limit, offset, and ordering.
Based on a series of tests, we have a few recommendations for RLS:
Add indexes#
Make sure you've added indexes on any columns used within the Policies which are not already indexed (or primary keys). For a Policy like this:
You can add an index like:
Benchmarks#
| Test | Before (ms) | After (ms) | % Improvement | Change |
|---|---|---|---|---|
| test1-indexed | 171 | < 0.1 | 99.94% | Before: No index After: user_id indexed |
Call functions with select#
You can use select statement to improve policies that use functions. For example, instead of this:
You can do:
This method works well for JWT functions like auth.uid() and auth.jwt() as well as security definer Functions. Wrapping the function causes an initPlan to be run by the Postgres optimizer, which allows it to "cache" the results per-statement, rather than calling the function on each row.
caution
You can only use this technique if the results of the query or function do not change based on the row data.
Benchmarks#
| Test | Before (ms) | After (ms) | % Improvement | Change |
|---|---|---|---|---|
| test2a-wrappedSQL-uid | 179 | 9 | 94.97% | Before: auth.uid() = user_id After: (select auth.uid()) = user_id |
| test2b-wrappedSQL-isadmin | 11,000 | 7 | 99.94% | Before: is_admin() table joinAfter: (select is_admin()) table join |
| test2c-wrappedSQL-two-functions | 11,000 | 10 | 99.91% | Before: is_admin() OR auth.uid() = user_idAfter: (select is_admin()) OR (select auth.uid() = user_id) |
| test2d-wrappedSQL-sd-fun | 178,000 | 12 | 99.993% | Before: has_role() = role After: (select has_role()) = role |
| test2e-wrappedSQL-sd-fun-array | 173000 | 16 | 99.991% | Before: team_id=any(user_teams()) After: team_id=any(array(select user_teams())) |
Add filters to every query#
Policies are "implicit where clauses", so it's common to run select statements without any filters. This is a bad pattern for performance. Instead of doing this (JS client example):
You should always add a filter:
Even though this duplicates the contents of the Policy, Postgres can use the to construct a better query plan.
Benchmarks#
| Test | Before (ms) | After (ms) | % Improvement | Change |
|---|---|---|---|---|
| test3-addfilter | 171 | 9 | 94.74% | Before: auth.uid() = user_idAfter: add .eq or where on user_id |
Use security definer functions#
A "security definer" function runs using the same role that created the function. This means that if you create a role with a superuser (like postgres), then that function will have bypassrls privileges. For example, if you had a policy like this:
We can instead create a security definer function which can scan roles_table without any RLS penalties:
caution
Security-definer functions should never be created in a schema in the "Exposed schemas" inside your API settings`.
Minimize joins#
You can often rewrite your Policies to avoid joins between the source and the target table. Instead, try to organize your policy to fetch all the relevant data from the target table into an array or set, then you can use an IN or ANY operation in your filter.
For example, this is an example of a slow policy which joins the source test_table to the target team_user:
We can rewrite this to avoid this join, and instead select the filter criteria into a set:
In this case you can also consider using a security definer function to bypass RLS on the join table:
note
If the list exceeds 1000 items, a different approach may be needed or you may need to analyze the approach to ensure that the performance is acceptable.
Benchmarks#
| Test | Before (ms) | After (ms) | % Improvement | Change |
|---|---|---|---|---|
| test5-fixed-join | 9,000 | 20 | 99.78% | Before: auth.uid() in table join on colAfter: col in table join on auth.uid() |
Specify Roles in your Policies#
Always use the Role of inside your policies, specified by the TO operator. For example, instead of this query:
Use:
This prevents the policy ( auth.uid() = user_id ) from running for any anon users, since the execution stops at the to authenticated step.
Benchmarks#
| Test | Before (ms) | After (ms) | % Improvement | Change |
|---|---|---|---|---|
| test6-To-role | 170 | < 0.1 | 99.78% | Before: No TO policyAfter: TO authenticated (anon accessing) |