SQL security policies

SQL security policies let you define fine-grained access controls on your data sources. Policies are written in YAML and automatically transform user queries to enforce table access, column visibility, and row-level filtering.

What you can control

Policies cover three types of access restrictions:

• Table access — Allow or block access to specific tables or groups of tables
• Column filtering — Hide sensitive columns (passwords, SSNs, PII) from query results
• Row-level security — Limit which rows users can see based on their identity or role

How it works

Setting up a policy involves four steps:

1. Write a policy — On a data source's Security tab, define your rules in YAML
2. Set user properties — Assign security properties (like tenant_id or department) to individual users
3. Enable enforcement — Toggle the Enforce Policy switch on
4. Queries transform automatically — When users query the data source, Kaelio applies the policy before executing the SQL

For example, with this policy:

version: "1.0"
default_allow_tables: true

table_rules:
  - table_name: audit_logs
    allowed: false

column_rules:
  - table_name: users
    restricted_columns:
      - password_hash
      - ssn

row_filter_rules:
  - table_name: orders
    filter_sql: "tenant_id = '{tenant_id}'"

A query like SELECT * FROM orders automatically becomes SELECT * FROM orders WHERE tenant_id = 'acme' for a user whose tenant_id property is set to acme. The audit_logs table would be completely inaccessible, and password_hash and ssn columns would be stripped from any query against the users table.

Key concepts

The following table summarizes the core building blocks of a policy.

User properties also power dashboard user variables, letting widget and tree-select SQL reference values like {{user.email}} or {{user.department}} directly.

Next steps