Skip to main content
This guide walks you through how to configure Row-Level Security (RLS) filters in WisdomAI to control which rows of data users can access. You’ll learn how to set up filters using natural language or SQL, preview results, and manage RLS settings after configuration. If you are new to RLS, start with the conceptual guide: Understanding Row-Level Security.

Prerequisites

Before configuring RLS, make sure you have the following:
  • Admin Access: You must have administrator privileges for your WisdomAI domain.
  • A Target Table: Identify the table you wish to secure and understand its schema.
  • (Optional) Dynamic Filtering Setup: For dynamic RLS, you should have one of the following configured:
    • User Attributes: Key-value pairs assigned to users that define their permissions (e.g., tenantId: 'abc-123'). Attributes can be set manually by an admin or provisioned automatically via SAML SSO.
    • Entitlements Table: A dedicated table that maps users to the specific data resources they are allowed to access.

Configure RLS on a Table

Once your setup is ready, follow these steps to configure row-level security for a table in your WisdomAI domain.
  1. In your WisdomAI domain, navigate to Data > Tables.
  2. Locate the table you want to secure, click the three-dot menu on the right side of the table row and select Row-Level Security. The Row-Level Security Configuration window will open.
row-level-security-10-25.png
RLS filters are defined as WHERE clauses that WisdomAI applies to every query on the table. You can define this filter using natural language (recommended) or by writing SQL directly.
  1. Use the Describe Filters text box to explain your access rule in plain language.
  2. Click Generate. WisdomAI will automatically generate a valid SQL WHERE clause based on your description, recognizing table columns, user attributes, and entitlements. Here are some examples to help you describe a filter:
You TypeWisdomAI Generates
Filter the email column by the current user's emailemail = USER_EMAIL()
Match the tenantId column with the user's tenantId attributetenantId = USER_ATTRIBUTE('tenantId')
Use the entitlements table to filter the territory nameSQL subquery (see below)
EXISTS (
  SELECT 1
  FROM entitlements
  WHERE user_email = USER_EMAIL()
  AND resource_type = 'Territory'
  AND (resource_value = '*' OR resource_value = territory.name)
)
For complex or highly specific rules, you can write the WHERE clause directly in the SQL text box in a valid SQL syntax. For this, you can use WisdomAI’s built-in functions for dynamic filtering.For a complete list of functions, see Dynamic Filters with Custom Functions.
row-level-security-10-25-02.png
  1. Click Preview.
  2. In the Preview Table with Row-Level Security window that opens, locate the Impersonate User field and enter a user’s email address.
  3. Click Impersonate. The data preview will update to show exactly what that user would see.
  4. (Optional) Add temporary user attributes to test different scenarios.
  5. Repeat with different users to validate all access cases.
row-level-security-10-25-03.png
  1. Once you have verified that the filter works correctly, close the Preview Table with Row-Level Security window and click Save to apply the RLS rule. The filter is now active and will be automatically appended to all queries against this table for non-admin users.

Managing RLS

  • To Disable RLS: Open the RLS configuration, clear the contents of the SQL text box, and click Save.
  • Applying RLS to Admin Users: By default, admins can see all data. To apply RLS filters to admins as well, enable the corresponding setting in your domain’s Settings > Advanced tab.
  • Using a Table as an Entitlements Source: If the table you are securing is itself an entitlements table, check the Set as entitlements table option. This optimizes how WisdomAI uses it for RLS checks on other tables.

Next Steps

I