DocsUser Security Properties
Assign per-user properties that populate template variables in row filter rules, enabling personalized data access controls.
User security properties are YAML key-value pairs assigned to individual users. When a query hits a data source with row filter rules, Kaelio replaces template variables like {tenant_id} or {department} with the actual values from the querying user's properties. This is how row-level security becomes personalized per user.
Where to Configure
Navigate to Admin > Users, select a user, then open the Security Properties tab. The editor accepts YAML key-value pairs and validates your input in real time -- any syntax errors appear immediately.
YAML Format
Properties are simple key-value pairs. Values can be strings, numbers, or nested objects.
tenant_id: "acme-corp"
department: sales
region: US-EAST
cost_center: CC-1234Built-in Properties
Every user automatically has these properties available, derived from their account:
| Property | Source |
|---|---|
user_id | The user's unique identifier |
tenant_id | The user's organization |
role | The user's assigned role |
Custom properties you define in the editor extend these built-in ones. If you set a custom property with the same name as a built-in one, your custom value takes precedence.
Nested Values
You can use dot notation to reference nested properties in your policies:
location:
region: US-EAST
office: NYCReference these in row filters as {location.region} or {location.office}.
How Properties Flow into Row Filters
When a user runs a query against a data source with row filter rules, the following happens:
- User queries a data source -- for example,
SELECT * FROM orders - Kaelio loads the user's security properties -- both built-in and custom properties are collected
- Template variables are replaced -- any
{property_name}placeholders inrow_filter_rulesare substituted with the user's actual values - The transformed query executes -- the final SQL includes the injected WHERE clauses
For example, given this row filter rule:
row_filter_rules:
- table_name: orders
filter_sql: "tenant_id = '{tenant_id}' AND region = '{region}'"A user with tenant_id: acme-corp and region: US-EAST would have their query transformed to:
SELECT * FROM orders
WHERE tenant_id = 'acme-corp' AND region = 'US-EAST'Missing Properties
If a row filter references a template variable (such as {department}) and the querying user does not have that property set, the query is denied entirely. Kaelio uses fail-closed behavior -- it will never execute a query with an unresolved template variable or silently remove the filter.
This means that if you add a row filter rule using {department}, every user who queries that table must have a department property configured. Users without it will receive an access denied error.
Tips
Set security properties for all users who will query data sources that have row filter rules. A single missing property will block the user's queries entirely.
- Use the SQL Preview tool on the data source's Security tab to verify that properties are substituted correctly before enabling enforcement. See Testing and Enforcement for details.
- Properties are validated as YAML in real time. The editor highlights errors immediately, so fix any issues before saving.
- Keep property names descriptive and consistent across users -- for example, always use
departmentrather than mixingdepartmentanddept.
Related
- Row Filter Rules -- define WHERE clause filters that use template variables
- Testing and Enforcement -- preview query transformations and enable policy enforcement
- Policy YAML Reference -- full schema reference for all policy fields
Row Filter Rules
Limit which rows users can see by injecting WHERE clauses into queries based on user properties like tenant, department, or role.
Testing and Enforcement
Preview how policies transform SQL queries before enabling enforcement, and control when transformations are applied to a data source.