Back to Resources

PostgreSQL RLS for Complex Multi-Tenant SaaS Authorization

17 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

Beyond `WHERE tenant_id`: The Case for Database-Enforced Authorization

In the world of multi-tenant SaaS architecture, the simple WHERE tenant_id = ? clause is the bedrock of data isolation. It's effective, understandable, and works reliably—until it doesn't. Real-world applications demand more sophisticated authorization models: hierarchical tenants, project-based access within a tenant, user roles with varying permissions (admin, manager, member), and the ever-present need for super-admin or support access that spans tenants.

Implementing this logic exclusively in the application layer leads to a predictable set of problems. Authorization checks become scattered across services, controllers, and data access layers. A single missed check can lead to a catastrophic data leak. It's brittle, difficult to audit, and couples your business logic tightly to your data access patterns.

This is where PostgreSQL's Row-Level Security (RLS) becomes a strategic architectural tool. RLS allows you to define security policies directly on tables, which the database engine enforces automatically for every query against that table. It moves authorization from a scattered application-level concern to a centralized, data-centric guarantee.

This article is not an introduction to RLS. We assume you understand CREATE POLICY. Instead, we will dissect the advanced patterns, performance pitfalls, and complex edge cases encountered when deploying RLS in a production SaaS environment.

The Scenario: A Project Management SaaS

To ground our examples, let's model a simple project management tool with the following schema. A tenant has multiple users, and each user can be part of multiple projects within that tenant. We'll evolve this schema as we introduce more complex requirements.

sql
-- Initial Schema
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";

CREATE TABLE tenants (
    id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
    name TEXT NOT NULL
);

CREATE TABLE users (
    id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
    tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
    email TEXT NOT NULL UNIQUE,
    role TEXT NOT NULL DEFAULT 'member' -- e.g., 'admin', 'member'
);

CREATE TABLE projects (
    id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
    tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
    name TEXT NOT NULL
);

CREATE TABLE tasks (
    id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
    project_id UUID NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
    -- NOTE: We will add tenant_id here later for performance reasons
    title TEXT NOT NULL,
    assignee_id UUID REFERENCES users(id)
);

-- Enable RLS on all relevant tables
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
ALTER TABLE projects ENABLE ROW LEVEL SECURITY;
ALTER TABLE tasks ENABLE ROW LEVEL SECURITY;

1. The Foundation: Session Context and Basic Isolation

The core mechanism for RLS in a web application is setting session-level configuration variables. The application authenticates a user, determines their identity and tenancy, and then sets this context on the database connection before executing any queries. These variables are ephemeral, private to the current session, and serve as the parameters for our policies.

We'll use namespaced variables like app.current_tenant_id to avoid conflicts with standard PostgreSQL settings.

Here's how an application middleware (e.g., in Go with pgx) would set this context:

go
// Example Go middleware for setting session context
func RLSContextMiddleware(next http.Handler, dbpool *pgxpool.Pool) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        // Assume user and tenant are authenticated and retrieved from a JWT or session
        tenantID := getTenantIDFromRequest(r)
        userID := getUserIDFromRequest(r)

        // Set the context for this connection's lifetime within the request
        conn, err := dbpool.Acquire(r.Context())
        if err != nil {
            http.Error(w, "Could not acquire DB connection", http.StatusInternalServerError)
            return
        }
        defer conn.Release()

        // Use a transaction block to ensure settings are applied before queries
        tx, err := conn.Begin(r.Context())
        if err != nil {
            http.Error(w, "Could not start transaction", http.StatusInternalServerError)
            return
        }
        defer tx.Rollback(r.Context()) // Rollback is a no-op if committed

        setTenant := fmt.Sprintf("SET LOCAL app.current_tenant_id = '%s'", tenantID)
        setUser := fmt.Sprintf("SET LOCAL app.current_user_id = '%s'", userID)

        _, err = tx.Exec(r.Context(), setTenant)
        if err != nil { /* ... error handling ... */ }

        _, err = tx.Exec(r.Context(), setUser)
        if err != nil { /* ... error handling ... */ }

        // Store the transaction in the request context for handlers to use
        ctxWithTx := context.WithValue(r.Context(), "db_tx", tx)
        r = r.WithContext(ctxWithTx)

        next.ServeHTTP(w, r)
        // The transaction will be rolled back automatically if not committed by a handler
    })
}

With this middleware in place, every query executed within a request's lifecycle will have access to app.current_tenant_id and app.current_user_id.

Now, we can define our basic isolation policies:

sql
-- Policy for projects: Users can only see projects in their tenant.
CREATE POLICY select_projects ON projects
    FOR SELECT
    USING (tenant_id = current_setting('app.current_tenant_id')::uuid);

-- Policy for users: Users can only see other users within their own tenant.
CREATE POLICY select_users ON users
    FOR SELECT
    USING (tenant_id = current_setting('app.current_tenant_id')::uuid);

-- Policies must also cover INSERT, UPDATE, DELETE to prevent data exfiltration.
-- The WITH CHECK clause is crucial for write operations.
CREATE POLICY insert_projects ON projects
    FOR INSERT
    WITH CHECK (tenant_id = current_setting('app.current_tenant_id')::uuid);

CREATE POLICY update_projects ON projects
    FOR UPDATE
    USING (tenant_id = current_setting('app.current_tenant_id')::uuid)
    WITH CHECK (tenant_id = current_setting('app.current_tenant_id')::uuid);

The USING clause applies to existing rows for SELECT, UPDATE, or DELETE. The WITH CHECK clause applies to new or updated rows for INSERT and UPDATE. A common pattern is to use the same condition for both to ensure a user can't move a record out of their scope.

2. Advanced Authorization: Hierarchical Roles and Permissions

Simple tenant isolation is just the start. Let's introduce a more realistic requirement: within a tenant, a user can be an admin or a member. An admin can see and manage all projects. A member can only see projects they are explicitly assigned to.

First, we need to adjust our schema:

sql
-- Add a table to link users to projects (many-to-many)
CREATE TABLE project_members (
    project_id UUID NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
    user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
    PRIMARY KEY (project_id, user_id)
);

-- We also need to get the user's role into the session context.
-- The middleware would be updated to set 'app.current_user_role'.

Now, we can create a much more expressive policy on the projects table. We'll drop the old one and create a new one that handles this logic.

sql
DROP POLICY select_projects ON projects;

CREATE POLICY select_projects_by_role ON projects
    FOR SELECT
    USING (
        -- All queries are still fundamentally scoped to the tenant
        tenant_id = current_setting('app.current_tenant_id')::uuid
        AND
        (
            -- Condition 1: The user is an admin in this tenant.
            current_setting('app.current_user_role') = 'admin'
            OR
            -- Condition 2: The user is a member of this specific project.
            EXISTS (
                SELECT 1
                FROM project_members pm
                WHERE pm.project_id = projects.id
                AND pm.user_id = current_setting('app.current_user_id')::uuid
            )
        )
    );

This single policy now encapsulates our business logic:

  • It guarantees tenant isolation first and foremost.
  • It then checks if the user is an admin. If so, the OR clause short-circuits, and they get access.
  • If not an admin, it executes the EXISTS subquery to check for explicit membership in the project_members table.

    • This is a powerful shift. The application code can now simply query SELECT FROM projects; and the database will correctly return only the projects the current user is authorized to see. The application layer no longer needs to know why* a user can see a project, only that they can.

    3. Performance Deep Dive: The Cost of Complexity

    RLS is not free. Every query against a protected table is rewritten by the planner to include the policy's USING clause. A simple predicate like tenant_id = ? is easily optimized. A complex policy with subqueries, like our role-based example, can have significant performance implications.

    Analyzing Policy Performance

    Let's analyze the query SELECT * FROM projects WHERE name LIKE 'Q1%'; with our new policy.

    sql
    -- Set the context for an admin user
SET app.current_tenant_id = '...';
SET app.current_user_id = '...';
SET app.current_user_role = 'admin';

EXPLAIN ANALYZE SELECT * FROM projects WHERE name LIKE 'Q1%';

    The query plan for an admin will be simple. The planner is smart enough to see that current_setting('app.current_user_role') = 'admin' is true and constant for the query's duration, so the EXISTS subquery is never evaluated.

    Now, let's analyze for a member:

    sql
    SET app.current_user_role = 'member';

EXPLAIN ANALYZE SELECT * FROM projects WHERE name LIKE 'Q1%';

    The plan will be drastically different. For each row in projects that matches the tenant_id and name filters, PostgreSQL will have to execute the EXISTS subquery. This can lead to a nested loop-like behavior, which is inefficient on large tables.

    Query Plan (Simplified):

    text
    -> Filter: ((tenant_id = '...') AND ((current_setting(...) = 'admin') OR (subplan)))
  -> Index Scan on projects_name_idx (name LIKE 'Q1%')
    SubPlan 1
      -> Index Scan on project_members_pkey (project_id = projects.id, user_id = '...')

    Optimization Strategy 1: Data Denormalization

    One common bottleneck is when policies need to join across multiple tables. Consider the tasks table. A naive policy would look like this:

    sql
    -- Inefficient policy on tasks
CREATE POLICY select_tasks ON tasks
    FOR SELECT
    USING (
        EXISTS (
            SELECT 1 FROM projects p
            WHERE p.id = tasks.project_id
            -- And now we repeat the entire complex project policy here!
            AND p.tenant_id = current_setting('app.current_tenant_id')::uuid
            AND (
                current_setting('app.current_user_role') = 'admin'
                OR EXISTS (...)
            )
        )
    );

    This is a performance disaster. For every task, we're re-evaluating the complex logic on the projects table. A much better approach is to denormalize the tenant_id from the projects table onto the tasks table.

    sql
    -- Add tenant_id to tasks
ALTER TABLE tasks ADD COLUMN tenant_id UUID;
-- (Backfill data and add a NOT NULL constraint and foreign key)

-- Now the policy is simpler and more performant
CREATE POLICY select_tasks_optimized ON tasks
    FOR SELECT
    USING (
        -- First, a fast check on an indexed column
        tenant_id = current_setting('app.current_tenant_id')::uuid
        AND
        -- Then, check if the user can see the parent project.
        -- This still requires a subquery, but the initial filtering is much faster.
        EXISTS (
            SELECT 1 FROM projects p
            WHERE p.id = tasks.project_id
            -- RLS on the projects table is AUTOMATICALLY APPLIED here!
        )
    );

    This is a critical insight: RLS policies are compositional. When a policy on tasks queries the projects table, the RLS policy on projects is automatically applied within that subquery. You don't need to repeat the logic. You just need to check for existence, and the database will handle the permissions on the joined table.

    Optimization Strategy 2: Using Functions

    For extremely complex or frequently reused logic, you can encapsulate it in a function. It's crucial to mark the function's volatility correctly.

    * IMMUTABLE: The function always returns the same result for the same arguments (e.g., sqrt(2)). Not useful for RLS.

    STABLE: The function's result is constant within a single scan*. This is perfect for our current_setting calls.

    * VOLATILE: The function's result can change at any time (e.g., random(), now()). This is the default and forces re-evaluation for every row.

    sql
    CREATE OR REPLACE FUNCTION is_tenant_admin(tenant_id_in uuid)
RETURNS boolean AS $$
BEGIN
    -- This function encapsulates the logic for checking admin status.
    -- It assumes app.current_user_id and app.current_tenant_id are set.
    RETURN EXISTS (
        SELECT 1 FROM users
        WHERE id = current_setting('app.current_user_id')::uuid
        AND tenant_id = tenant_id_in
        AND role = 'admin'
    );
END;
$$ LANGUAGE plpgsql STABLE;

    By marking the function as STABLE, we give the planner a hint that it doesn't need to re-evaluate it for every single row, only once per query scan, which can yield significant performance gains.

    4. Edge Cases and Production Patterns

    The Super-Admin Problem

    Your internal support team or a system super-admin needs to access all data, bypassing RLS. There are two primary approaches:

    1. The BYPASS RLS Attribute (Preferred)

    Create a specific role for super-admins and grant it the BYPASS RLS attribute. This is the cleanest, most secure, and most auditable method.

    sql
    CREATE ROLE super_admin_role;
ALTER ROLE super_admin_role WITH BYPASS RLS;

-- In your application, when a super-admin logs in, you connect
-- to the database using a connection pool dedicated to this role, or run:
SET ROLE super_admin_role;

-- All subsequent queries in this session will bypass RLS.
SELECT * FROM tasks WHERE id = '...'; -- Works across all tenants

-- Revert to the original role
RESET ROLE;

    2. The Policy-based Bypass (Use with caution)

    You can build a bypass into your policy itself. This is less secure as it relies on a session variable that could potentially be spoofed if your application has security flaws.

    sql
    -- Example policy with a bypass flag
CREATE POLICY select_projects_with_bypass ON projects
    FOR SELECT
    USING (
        current_setting('app.is_super_admin', true) = 'true'
        OR
        (
            tenant_id = current_setting('app.current_tenant_id')::uuid
            -- ... rest of the policy
        )
    );

    Cross-Tenant Access

    Consider a user who is a member of two different tenants. The application must provide a UI to switch contexts. When the user switches, the application simply needs to start a new transaction, set the new app.current_tenant_id, and execute queries. The database handles the rest. This simplifies the application logic immensely, as the state is managed entirely by the database session context.

    RLS and ORMs

    Object-Relational Mappers (ORMs) can be tricky with RLS. The ORM is unaware that the database is filtering rows. If an ORM tries to fetch an object by its primary key (e.g., db.projects.get(pk)) and RLS prevents access, the ORM will receive an empty result set and typically raise a "Not Found" error. This is usually the correct behavior. From the perspective of the user's session, that object does not exist.

    The key is to ensure your connection logic robustly sets the RLS session variables before any ORM code is executed. Connection pool hooks are the ideal place for this.

    Here's an example using Python's SQLAlchemy:

    python
    from sqlalchemy import event
from sqlalchemy.engine import Engine

@event.listens_for(Engine, "connect")
def set_rls_context(dbapi_connection, connection_record):
    # This function is called every time a new connection is checked out from the pool.
    # You need a way to get the current request's context here.
    # This is often done using thread-local storage or context variables (e.g., Flask's `g` object).
    
    tenant_id = get_current_tenant_id()
    user_id = get_current_user_id()

    if tenant_id and user_id:
        cursor = dbapi_connection.cursor()
        # Use SET LOCAL to scope the setting to the current transaction
        cursor.execute(f"SET LOCAL app.current_tenant_id = '{tenant_id}';")
        cursor.execute(f"SET LOCAL app.current_user_id = '{user_id}';")
        cursor.close()

    5. Debugging and Auditing

    When a query returns an empty result set, it can be difficult to determine if it's due to RLS or other WHERE clauses.

    * EXPLAIN (VERBOSE): This is your best friend. It will show you the exact query predicate that the RLS policy added to your query. You can inspect it to see if it's what you expected.

    * Logging: Set log_statement = 'all' in postgresql.conf during development. This will log every single query, including the ones setting session variables, allowing you to trace the entire lifecycle of a request.

    pg_policies View: You can query SELECT FROM pg_policies WHERE tablename = 'projects'; to inspect the parsed definition of the policies currently active on a table.

    Conclusion: A Paradigm Shift in Authorization

    Adopting Row-Level Security for multi-tenant authorization is more than just a new technique; it's an architectural paradigm shift. It forces a clear separation of concerns, moving complex, security-critical authorization logic out of the application and into the database, which is designed to manage data integrity and access control.

    While the initial setup is more involved than simple WHERE clauses, the long-term benefits are substantial:

  • Centralized Logic: Authorization rules live in one place—the database schema—making them easier to audit, update, and reason about.
  • Reduced Application Complexity: Application code can be written more naively, simply requesting the data it needs, trusting the database to enforce access.
  • Enhanced Security: The risk of a developer forgetting a WHERE clause in a new API endpoint is eliminated. The database provides a robust security backstop.

    • However, RLS is not a silver bullet. It requires careful schema design, a deep understanding of the query planner, and a disciplined approach to performance testing. For complex SaaS applications where data segregation and fine-grained permissions are paramount, PostgreSQL RLS is an exceptionally powerful and elegant solution that senior engineers should have in their toolkit.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles