Back to Resources

PostgreSQL Partial Indexes for Multi-Tenant RLS Performance

11 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The Inevitable Performance Bottleneck in Multi-Tenant Architectures

In any mature multi-tenant SaaS application, the database schema often converges on a few monolithic tables partitioned by a tenant_id column. A documents, orders, or events table can easily grow to hundreds of millions or even billions of rows. The standard approach to ensure query performance is to create a composite index, typically starting with tenant_id.

sql
-- A typical table in a multi-tenant system
CREATE TABLE documents (
    id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id uuid NOT NULL,
    title text NOT NULL,
    content jsonb,
    status varchar(20) NOT NULL DEFAULT 'draft',
    created_at timestamptz NOT NULL DEFAULT now(),
    archived_at timestamptz
);

-- The standard, seemingly correct, index
CREATE INDEX idx_documents_tenant_status ON documents (tenant_id, status);

This works well initially. However, as the table grows, a critical problem emerges: data skew. In most applications, the lifecycle of data is not uniform. For instance, the number of archived documents might eventually dwarf the number of active or draft documents by an order of magnitude. A query for a tenant's active documents must navigate an index bloated with entries for data that is rarely, if ever, accessed.

sql
-- This query is common and needs to be fast
SELECT id, title, created_at
FROM documents
WHERE tenant_id = '...' AND status = 'active'
ORDER BY created_at DESC
LIMIT 50;

The PostgreSQL query planner is sophisticated, but a massive index impacts performance in several ways:

  • Increased Index Size: A larger index means more disk I/O and less likelihood of the required index blocks being in shared buffers (RAM). Cache hit rates suffer.
  • Deeper B-Tree Traversal: A larger index can lead to a deeper B-tree structure, requiring more page reads to locate the desired leaf nodes.
  • Maintenance Overhead: Larger indexes are slower to update on INSERT, UPDATE, and DELETE operations. VACUUM and REINDEX operations also take significantly longer.

    • This is where a more nuanced indexing strategy is required. We need a way to create indexes that only contain entries for the data we care about in our most frequent, performance-critical queries.

    The Solution: Highly Selective Partial Indexes

    Partial indexes are a powerful feature in PostgreSQL that allows you to build an index on a subset of a table's rows, defined by a WHERE clause. This clause is applied at index creation time and ensures that only rows matching the predicate are included in the index.

    The syntax is straightforward:

    sql
    CREATE INDEX index_name ON table_name (column_list) WHERE predicate;

    The magic happens when the query planner encounters a query whose WHERE clause matches the predicate of a partial index. It can then use this much smaller, more efficient index for the query plan.

    Pattern 1: Isolating the 'Hot' Data Path

    Let's revisit our documents table. Assume that 90% of the rows have a status of archived, while 99% of the application queries are for documents with status of draft or active.

    The single composite index idx_documents_tenant_status is suboptimal. We can replace it with a set of specialized partial indexes.

    sql
    -- Drop the bloated, general-purpose index
DROP INDEX idx_documents_tenant_status;

-- Create an index ONLY for the 'hot' data
CREATE INDEX idx_documents_hot_path ON documents (tenant_id, status, created_at)
WHERE status IN ('draft', 'active');

-- (Optional) Create a separate index for the 'cold' data if needed
CREATE INDEX idx_documents_cold_path ON documents (tenant_id, status, created_at)
WHERE status = 'archived';

    Analysis of the idx_documents_hot_path Index:

    * Size Reduction: This index will be approximately 10% of the size of the original index, as it completely ignores the archived rows.

    * Improved Cache Efficiency: Being smaller, it's far more likely to reside entirely in memory, leading to lightning-fast lookups.

    * Specificity: We've included created_at in the index definition. This allows PostgreSQL to perform an Index-Only Scan for queries that sort by creation date, avoiding a heap fetch to the table itself if all requested columns are in the index.

    Let's prove this with EXPLAIN ANALYZE. First, let's populate our table with skewed data.

    sql
    -- Setup: Create a sample tenant and populate with skewed data
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";

-- Let's use a function to generate a lot of data quickly
CREATE OR REPLACE FUNCTION populate_documents(target_tenant_id uuid, num_active int, num_archived int) RETURNS void AS $$
BEGIN
    INSERT INTO documents (tenant_id, title, status)
    SELECT target_tenant_id, 'Active Doc ' || i, 'active'
    FROM generate_series(1, num_active) i;

    INSERT INTO documents (tenant_id, title, status, archived_at)
    SELECT target_tenant_id, 'Archived Doc ' || i, 'archived', now() - interval '1 year'
    FROM generate_series(1, num_archived) i;
END;
$$ LANGUAGE plpgsql;

-- Generate 100k active and 1 million archived documents for one tenant
DO $$
DECLARE
    sample_tenant_id uuid := uuid_generate_v4();
BEGIN
    PERFORM populate_documents(sample_tenant_id, 100000, 1000000);
    -- Store the tenant_id for later use in our session
    EXECUTE 'SET app.test_tenant_id = ''' || sample_tenant_id || '''';
END;
$$;

ANALYZE documents;

    Now, let's test our query. We'll set enable_seqscan to off to encourage the planner to use an index, simulating a scenario where a sequential scan is prohibitively expensive on a much larger table.

    sql
    SET enable_seqscan = off;

EXPLAIN ANALYZE
SELECT id, title, created_at
FROM documents
WHERE tenant_id = current_setting('app.test_tenant_id')::uuid AND status = 'active'
ORDER BY created_at DESC
LIMIT 20;

    Expected EXPLAIN Output:

    The query plan will show a Bitmap Heap Scan or an Index Scan using our highly efficient idx_documents_hot_path index. The execution time will be sub-millisecond.

    text
    Limit  (cost=0.43..12.38 rows=20 width=62) (actual time=0.045..0.082 rows=20 loops=1)
  ->  Index Scan Backward using idx_documents_hot_path on documents  (cost=0.43..29672.48 rows=99167 width=62) (actual time=0.044..0.078 rows=20 loops=1)
        Index Cond: ((tenant_id = '...') AND (status = 'active'))
Planning Time: 0.158 ms
Execution Time: 0.101 ms

    The key takeaway is the Index Scan on idx_documents_hot_path. The planner correctly identified the most efficient index because the query's WHERE clause is a subset of the index's WHERE clause.

    Pattern 2: The Soft-Delete (`IS NULL`) Edge Case

    Another extremely common pattern is soft-deletion, where a deleted_at or archived_at timestamp column is used. Active records have a NULL value in this column.

    Queries for active data will almost always include WHERE archived_at IS NULL.

    sql
    -- A very common query pattern
SELECT * FROM documents
WHERE tenant_id = '...' AND archived_at IS NULL;

    If 95% of your data is eventually archived (i.e., archived_at IS NOT NULL), a standard index on (tenant_id) is again bloated with mostly irrelevant entries. The partial index is the perfect tool for this scenario.

    sql
    -- An index that ONLY tracks live, non-archived documents
CREATE INDEX idx_documents_live ON documents (tenant_id, created_at DESC)
WHERE archived_at IS NULL;

    Analysis:

    * Extreme Selectivity: This index is tiny compared to the full table, containing only the 5% of rows that are active.

    * Optimized Sorting: By including created_at DESC directly in the index definition, we pre-sort the data. Queries that fetch the latest documents for a tenant can read the index in order and stop as soon as the LIMIT is satisfied, which is incredibly efficient.

    Let's see the EXPLAIN plan for a query fetching the latest live documents:

    sql
    EXPLAIN ANALYZE
SELECT id, title, created_at
FROM documents
WHERE tenant_id = current_setting('app.test_tenant_id')::uuid AND archived_at IS NULL
ORDER BY created_at DESC
LIMIT 20;

    Expected EXPLAIN Output:

    text
    Limit  (cost=0.43..10.51 rows=20 width=62) (actual time=0.031..0.049 rows=20 loops=1)
  ->  Index Scan using idx_documents_live on documents  (cost=0.43..50992.43 rows=100000 width=62) (actual time=0.030..0.046 rows=20 loops=1)
        Index Cond: (tenant_id = '...')
Planning Time: 0.134 ms
Execution Time: 0.065 ms

    Notice the planner uses idx_documents_live. It's smart enough to understand that the query's WHERE archived_at IS NULL condition matches the index's predicate. The Index Scan is extremely fast because it doesn't have to sift through millions of archived row pointers.

    Integrating with Row-Level Security (RLS)

    Now, let's add the complexity of a production environment: strict data isolation between tenants using Row-Level Security. RLS is non-negotiable in a multi-tenant system.

    Here's how we set it up:

    sql
    -- 1. Enable RLS on the table
ALTER TABLE documents ENABLE ROW LEVEL SECURITY;

-- 2. Create a policy that restricts access to the current tenant
-- We use `current_setting` to securely pass the tenant_id in the session.
CREATE POLICY tenant_isolation_policy ON documents
    FOR ALL
    USING (tenant_id = current_setting('app.tenant_id')::uuid);

    When RLS is enabled, PostgreSQL implicitly appends the USING clause from the policy to every query against the table. Our simple query:

    sql
    SELECT * FROM documents WHERE status = 'active';

    Effectively becomes:

    sql
    SELECT * FROM documents WHERE status = 'active' AND tenant_id = current_setting('app.tenant_id')::uuid;

    The Synergy Between RLS and Partial Indexes

    This is where the design of our partial indexes pays off beautifully. Our indexes, like idx_documents_hot_path on (tenant_id, status, created_at), were designed with tenant_id as the leading column. The RLS policy reinforces this access pattern.

    When a user from a specific tenant runs a query, the combination of their explicit WHERE clause and the implicit RLS USING clause provides the query planner with exactly the information it needs to select our highly-optimized partial index.

    Let's test this in a simulated application request context.

    sql
    -- In your application's database connection setup for a request:
-- 1. Begin a transaction
-- 2. Set the tenant_id for the current session. This is secure and scoped to the transaction.
-- 3. Run your queries
-- 4. Commit/rollback

BEGIN;
-- Set the tenant context. The string must be a valid UUID.
SELECT set_config('app.tenant_id', current_setting('app.test_tenant_id'), false);

-- Now, run the query as if from the application. Notice we don't specify tenant_id.
-- RLS will handle it automatically.
EXPLAIN ANALYZE
SELECT id, title
FROM documents
WHERE status = 'active'
ORDER BY created_at DESC
LIMIT 10;

COMMIT;

    Expected EXPLAIN Output:

    The plan will be virtually identical to our previous tests. The planner is smart enough to combine the RLS policy's predicate with the query's predicate and match it to idx_documents_hot_path.

    text
    Limit  (cost=0.43..12.38 rows=10 width=54) (actual time=...)
  ->  Index Scan Backward using idx_documents_hot_path on documents ...
        Index Cond: ((tenant_id = current_setting('app.tenant_id')::uuid) AND (status = 'active'))

    This demonstrates a critical architectural principle: Align your physical indexing strategy with your logical security and data access patterns. By creating partial indexes that mirror the common queries filtered by RLS, you achieve both security and performance without compromise.

    Production Considerations, Trade-offs, and Gotchas

    While powerful, partial indexes are not a silver bullet. Senior engineers must consider the trade-offs.

    1. Index Management and Migrations

    Adding indexes to large, live production tables is a delicate operation. You must use CREATE INDEX CONCURRENTLY to avoid locking the table against writes.

    sql
    -- In a database migration file:
CREATE INDEX CONCURRENTLY idx_documents_live ON documents (tenant_id, created_at DESC)
WHERE archived_at IS NULL;

    This command takes longer and consumes more CPU/IO, but it allows the application to continue operating normally. Managing a suite of partial indexes means your migration scripts need to be robust.

    2. Write Overhead

    Every index adds overhead to write operations (INSERT, UPDATE, DELETE). However, partial indexes have a distinct advantage here. A row is only added to/removed from a partial index if it matches the predicate.

    INSERT: If a new document is INSERTed with status = 'archived', it will not* be added to idx_documents_hot_path. The write overhead is lower compared to a full index.

    * UPDATE: Consider UPDATE documents SET title = 'New Title' WHERE id = '...'. If this document is archived, neither idx_documents_hot_path nor idx_documents_live needs to be touched. If an active document is updated to archived, it will be removed from the hot index and (potentially) added to the cold index. This churn is a cost to consider.

    3. Query Planner Dependencies

    The query planner's ability to choose the correct partial index depends on accurate table statistics. It's crucial to have autovacuum configured aggressively for these large tables or to run ANALYZE manually after significant data changes.

    If the planner's statistics are stale, it might mistakenly believe a sequential scan is cheaper than using your finely-tuned partial index, leading to sudden performance degradation.

    4. When NOT to Use Partial Indexes

    * Low Selectivity: If your WHERE clause for the index would still include 80% of the table, the benefits are marginal. The goal is to create indexes on small, frequently accessed subsets of data.

    * Ad-Hoc Querying: If your application's query patterns are highly variable and unpredictable, it's difficult to create a useful set of partial indexes. In such cases, a few well-designed general-purpose composite indexes might be more robust.

    * Predicate Complexity: The predicate for a partial index cannot contain subqueries or user-defined functions that are not IMMUTABLE. Keep the predicates simple and based on static column values.

    Conclusion: A Precision Tool for Scalability

    For senior engineers architecting and maintaining large-scale multi-tenant systems on PostgreSQL, moving beyond basic indexing is essential for long-term performance and scalability. The combination of partial indexes and Row-Level Security is not merely a trick; it's a strategic pattern that aligns the physical data layout with the application's most critical and frequent access paths.

    By isolating 'hot' data subsets—like active, non-archived records—into small, highly-optimized indexes, you achieve:

    * Drastically Reduced Index Size: Leading to better memory utilization and higher cache hit rates.

    * Faster Query Execution: Sub-millisecond response times for common queries, even on billion-row tables.

    * Lower Maintenance Overhead: Faster VACUUM and REINDEX operations.

    * Seamless Integration with RLS: Ensuring that security policies and performance optimizations work in concert, not against each other.

    This approach requires a deep understanding of your data distribution and query patterns, but the payoff in performance, stability, and scalability is immense. It represents a shift from brute-force indexing to a more surgical, intelligent strategy befitting a mature and complex software system.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles