SQL Security Policies
Control what data users can access when querying databases through Kaelio.
SQL Security Policies let you define fine-grained access controls on your data sources. Policies are written in YAML and automatically transform user queries to enforce table access, column visibility, and row-level filtering.
What You Can Control
- Table access — Allow or block access to specific tables or groups of tables
- Column filtering — Hide sensitive columns (passwords, SSNs, PII) from query results
- Row-level security — Limit which rows users can see based on their identity or role
How It Works
- Write a policy — On a data source's Security tab, define your rules in YAML
- Set user properties — Assign security properties (like
tenant_idordepartment) to individual users - Enable enforcement — Toggle the Enforce Policy switch on
- Queries transform automatically — When users query the data source, Kaelio applies the policy before executing the SQL
For example, with this policy:
version: "1.0"
default_allow_tables: true
table_rules:
- table_name: audit_logs
allowed: false
column_rules:
- table_name: users
restricted_columns:
- password_hash
- ssn
row_filter_rules:
- table_name: orders
filter_sql: "tenant_id = '{tenant_id}'"A query like SELECT * FROM orders would automatically become SELECT * FROM orders WHERE tenant_id = 'acme' for a user whose tenant_id property is set to acme. The audit_logs table would be completely inaccessible, and password_hash and ssn columns would be stripped from any query against the users table.
Key Concepts
| Concept | Description |
|---|---|
| Policy YAML | The YAML document that defines all security rules for a data source |
default_allow_tables | Controls whether unlisted tables are accessible (true) or blocked (false) |
| Glob patterns | Wildcard matching for table names — analytics_*, *_logs, * |
| Conditions | Attribute-based rules that apply only when a user's properties match |
| Template variables | Placeholders like {tenant_id} in row filters, filled from user properties |
Next Steps
Policy YAML Reference
Full schema reference with all fields and options
Table Access Rules
Allow or block access to database tables
Column Filtering Rules
Hide sensitive columns from query results
Row Filter Rules
Limit visible rows with WHERE clause injection
User Security Properties
Configure per-user properties for template variables
Testing and Enforcement
Preview transformations and enable enforcement
Docs