row-level security policies in Supabase for a multitenant application #149922

kirigakure0000 · 2025-01-24T22:24:35Z

kirigakure0000
Jan 24, 2025

Select Topic Area

Question

Body

I’m having a really hard time setting up RLS policies in Supabase. I’m building a multi-tenant app, and I need to restrict access to rows based on the tenant_id column. I’ve tried writing a policy, but it’s not working, and I’m not sure what I’m doing wrong. Here’s what I have so far:

CREATE POLICY "Tenant can access their own data"
ON my_table
FOR SELECT
USING (tenant_id = auth.uid());

But when I query the table, I’m still seeing all the rows, not just the ones for the current tenant. Am I missing something? Any help would be greatly appreciated!

Answered by joemar25

Jan 24, 2025

No need to worry, RLS can be a bit tricky at first, but I’ll walk you through it... :D

First, it looks like you’re on the right track with your policy, but there’s a small misunderstanding. The auth.uid() function returns the UUID of the currently authenticated user, not the tenant_id. If your tenant_id is stored in a different way (e.g., in a profiles table or as a custom claim in the JWT), you’ll need to adjust your policy accordingly.

Here’s an example of how you can set this up:

Assume you have a profiles table that stores the tenant_id for each user. You can create a policy that joins the profiles table to enforce the restriction:

CREATE POLICY "Tenant can access their own data"
ON …

View full answer

joemar25 · 2025-01-24T22:30:17Z

joemar25
Jan 24, 2025

No need to worry, RLS can be a bit tricky at first, but I’ll walk you through it... :D

First, it looks like you’re on the right track with your policy, but there’s a small misunderstanding. The auth.uid() function returns the UUID of the currently authenticated user, not the tenant_id. If your tenant_id is stored in a different way (e.g., in a profiles table or as a custom claim in the JWT), you’ll need to adjust your policy accordingly.

Here’s an example of how you can set this up:

Assume you have a profiles table that stores the tenant_id for each user. You can create a policy that joins the profiles table to enforce the restriction:

CREATE POLICY "Tenant can access their own data"
ON my_table
FOR SELECT
USING (
  tenant_id = (
    SELECT tenant_id
    FROM profiles
    WHERE user_id = auth.uid()
  )
);

If tenant_id is stored in the JWT as a custom claim, you can use auth.jwt() to access it directly:

CREATE POLICY "Tenant can access their own data"
ON my_table
FOR SELECT
USING (
  tenant_id = (auth.jwt() ->> 'tenant_id')::uuid
);

Make sure your JWT includes the tenant_id claim when you authenticate users.

Enable RLS on your table if you haven’t already:

ALTER TABLE my_table ENABLE ROW LEVEL SECURITY;

Finally, test your setup by querying the table while authenticated as a user with a specific tenant_id. You should only see rows that match their tenant_id. Let me know if this helps or if you run into any other issues😊

1 reply

kirigakure0000 Jan 24, 2025
Author

ohhh, I see now! I was using auth.uid() incorrectly. thanks.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

row-level security policies in Supabase for a multitenant application #149922

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

GitHub Community

row-level security policies in Supabase for a multitenant application #149922

kirigakure0000 Jan 24, 2025

Select Topic Area

Body

Replies: 1 comment · 1 reply

joemar25 Jan 24, 2025

kirigakure0000 Jan 24, 2025 Author

kirigakure0000
Jan 24, 2025

Replies: 1 comment 1 reply

joemar25
Jan 24, 2025

kirigakure0000 Jan 24, 2025
Author