Security

🔐 Understanding Row-Level Security (RLS) in Altan Databases

Altan uses Row-Level Security (RLS) as a core mechanism to keep your data private, secure, and accessible only to the right users. In this post, we’ll explain what RLS is, how it works in Altan, and why it’s the right choice for a multi-tenant AI automation platform.

✅ What is RLS?

Row-Level Security (RLS) is a database feature that restricts access to individual rows in a table based on the identity of the user making the request.

Instead of giving or denying access to an entire table, RLS allows fine-grained control: users can only see the rows they are allowed to see — even when they're querying the same table as others.

🔐 Why Altan Uses RLS

Altan is designed for multi-tenant applications, meaning:

Multiple companies or workspaces share the same underlying infrastructure.

Each tenant (your business or workspace) should only see its own data.

RLS enforces data isolation at the database level, making it extremely hard to leak data across tenants — even if there’s a bug in your logic or API layer.

🧠 How It Works in Altan

Every Altan database:

Is a PostgreSQL schema (one per workspace or client).

Uses RLS policies on every table that restrict access based on the current user or API token.

Whenever a request is made:

The authenticated user’s identity is extracted from a signed JWT token.

That identity (e.g. account_id, user_id, or role) is automatically injected into the database session.

RLS policies on each table use this session information to allow or deny access row-by-row.

For example:

With this in place, even if someone tries to query SELECT * FROM tasks, they’ll only see their own rows.

🧰 Developer Benefits

Zero-trust by default: If no RLS policy exists, PostgreSQL denies all access to rows.

Backend-agnostic security: RLS works at the DB level, not just the API level — even if you connect via Supabase or PostgREST.

Simplified permissions: Policies can include logic for roles, visibility levels, ownership, etc.

🛡️ Why It’s Secure

Enforced at the lowest level: No matter how data is queried (via APIs, agents, or even direct SQL), RLS rules apply.

Immutable access control: Even if someone gets access to your endpoint, they cannot access other tenants’ data.

Integrated with JWT auth: RLS in Altan is tightly coupled with the identity system — sessions cannot be spoofed or escalated.

✨ Real Use Cases in Altan

AI agents querying only their own workspace’s leads.

Forms submitting rows into tables while hiding previous responses.

Workflows iterating over filtered datasets that respect tenant isolation.

🔍 FAQs

Q: Can admins bypass RLS?
Yes, but only explicitly. Admin users or internal system agents may bypass RLS in some contexts with elevated roles, always logged and auditable.

Q: Can I write custom RLS policies?
Not yet. For security and simplicity, Altan generates and manages RLS policies behind the scenes. Advanced configuration may be supported in the future.

🧠 Summary

Row-Level Security is one of the core reasons Altan is safe by default. You never have to worry about leaking data between clients or agents — the database enforces access boundaries at the row level, automatically and reliably.

If you're building serious automation, this is the kind of safety net you want under the hood.

🔐 Understanding Row-Level Security (RLS) in Altan Databases#

✅ What is RLS?#

🔐 Why Altan Uses RLS#

🧠 How It Works in Altan#

🧰 Developer Benefits#

🛡️ Why It’s Secure#

✨ Real Use Cases in Altan#

🔍 FAQs#

🧠 Summary#