KaelioDocs
Features

SQL Security Policies

Control what data users can access when querying databases through Kaelio.

SQL Security Policies let you define fine-grained access controls on your data sources. Policies are written in YAML and automatically transform user queries to enforce table access, column visibility, and row-level filtering.

What You Can Control

  • Table access — Allow or block access to specific tables or groups of tables
  • Column filtering — Hide sensitive columns (passwords, SSNs, PII) from query results
  • Row-level security — Limit which rows users can see based on their identity or role

How It Works

  1. Write a policy — On a data source's Security tab, define your rules in YAML
  2. Set user properties — Assign security properties (like tenant_id or department) to individual users
  3. Enable enforcement — Toggle the Enforce Policy switch on
  4. Queries transform automatically — When users query the data source, Kaelio applies the policy before executing the SQL

For example, with this policy:

policy.yaml
version: "1.0"
default_allow_tables: true

table_rules:
  - table_name: audit_logs
    allowed: false

column_rules:
  - table_name: users
    restricted_columns:
      - password_hash
      - ssn

row_filter_rules:
  - table_name: orders
    filter_sql: "tenant_id = '{tenant_id}'"

A query like SELECT * FROM orders would automatically become SELECT * FROM orders WHERE tenant_id = 'acme' for a user whose tenant_id property is set to acme. The audit_logs table would be completely inaccessible, and password_hash and ssn columns would be stripped from any query against the users table.

Key Concepts

ConceptDescription
Policy YAMLThe YAML document that defines all security rules for a data source
default_allow_tablesControls whether unlisted tables are accessible (true) or blocked (false)
Glob patternsWildcard matching for table names — analytics_*, *_logs, *
ConditionsAttribute-based rules that apply only when a user's properties match
Template variablesPlaceholders like {tenant_id} in row filters, filled from user properties

Next Steps

Policy YAML Reference

Full schema reference with all fields and options

Table Access Rules

Allow or block access to database tables

Column Filtering Rules

Hide sensitive columns from query results

Row Filter Rules

Limit visible rows with WHERE clause injection

User Security Properties

Configure per-user properties for template variables

Testing and Enforcement

Preview transformations and enable enforcement

Features

Overview of Kaelio's core capabilities.

Policy YAML Reference

Complete schema reference for SQL Security Policy YAML files, including all fields, glob patterns, conditions, and rule evaluation behavior.

On this page

What You Can Control
How It Works
Key Concepts
Next Steps