Dynamic Row Level Filtering¶
Row Level Filtering (RLF) allows fine-grained control over which rows of a dataset a user or group is permitted to view. Policies evaluate context and apply dynamic filter conditions directly at the row level. So when the same table is queried by different users, the results may differ based on the RLF policies in place.
Overview¶
- Applies only to SELECT operations.
- Defined at the table level (or equivalent) in supported services.
- RLF expressions are SQL fragments evaluated by the data platform.
- Can use static values or dynamic context such as user roles, groups, or other attributes.
- If the native service does not support dynamic RLF natively (e.g., PostgreSQL), Privacera automatically creates Secure Views to enforce the same logic.
Dynamic Row Level Filtering is not supported for Object Storage (e.g., AWS S3).
Objects in S3, ADLS, GCS, or MinIO are accessed using Apache Spark (EMR, EKS, or Kubernetes), Jupyter Notebooks, CLI, or File Explorer tools, the entire object is read on the client side and there is no way to filter rows before the data is read. Privacera does not support dynamic row-level filtering for these services.
Pre-requisites Reading
Please read the following before creating Row Level Filter policies:
Supported Services¶
| Service | Support Level |
|---|---|
| Snowflake |  Yes |
| Databricks UC | Yes |
| Redshift | Yes |
| PostgreSQL | Yes (via Secure Views) |
| AWS S3 |  No |
Components of a Row Filter Policy¶
| Field | Description |
|---|---|
| Resource | database → table |
| Row Filter Expr | SQL condition using column names and constants or macros |
| Policy Scope | Users, groups, roles |
| Conditions | Optional policy conditions using macros like IS_IN_GROUP(...) |
| Audit Enabled | Recommended to track policy evaluations and data visibility enforcement |
Creating RLF via Privacera Portal¶
- Go to Access Management > [Service Type].
- Open the Row Filter Policies tab.
- Click + Add Policy.
- Define the resource (e.g.,
database = sales,table = orders). - Set the Row Filter Expression, for example:
- Assign applicable users, groups, or roles.
- Save the policy and verify audit logging.
Example: Filter by Static Region¶
Use Case: Users in the us_analyst group should only see rows where the region is 'US'.
| Component | Value |
|---|---|
| Service | Snowflake |
| Database | sales |
| Table | orders |
| Row Filter Expression | region = 'US' |
| Groups | us_analyst |
Limitations¶
- Row filtering is only supported for SELECT operations.
- Expressions must be valid in the syntax of the underlying service (e.g., Snowflake SQL).
- In some cases like Snowflake and Unity Catalog, RLF is enforced using native SQL functions and this may impact performance.
- Row Level Filters is not supported for Object Storage (e.g., AWS S3).
Tips¶
- Expressions must be valid SQL for the respective engine.
- Always test filters using query tools to ensure proper behavior.
- When using macros, validate their expansion using sample user data.
Related Topics¶
- Prev topic: Resource-Based Policies
- Next topic: Dynamic Column Masking