Advanced RLS provides full control over row-level data access using custom SQL conditions. It is designed for complex access rules that cannot be expressed using simple field mappings.
Advanced RLS is query-driven, flexible, and evaluated at runtime for every data access request
Prerequisites
Before enabling Advanced RLS:
Target object must exist
User context (user ID, role, tenant) must be available
Required source and permission objects must exist
SQL author must understand object schema
Step-by-Step: Enabling Advanced RLS
Note: Please refer to the Standard RLS setup for permission object and source object setup.
Step 1: Navigate to Target Object
Open the target object on which RLS must be applied.
Click on Activate row security feature.
Step 2: Enable RLS
Enable RLS and select:
RLS Type: Advanced
Select the preferred lookup field.
Step 3: Define Custom SQL Filter
Provide a SQL condition that evaluates to TRUE for rows the user is allowed to access.
Example:
Step 4: Validate SQL
Validate the SQL syntax and ensure:
References to target object fields are correct
User context variables are supported
Step 5: Activate RLS
Click on add in Add Row Security panel.
Once activated, all queries on the target object automatically apply the SQL filter.
Step 6: Commit and Deploy
After making all the required changes, commit all your changes and deploy the application.
Differences: Standard vs Advanced RLS
Feature
Standard RLS
Advanced RLS
Configuration
UI-based
SQL-based
Complexity
Low
High
Custom Logic
❌
✅
Performance
High
Depends on SQL
Maintenance
Low
Medium–High
Limitations and Risks
Incorrect SQL can block all data
Poorly optimized queries impact performance
Requires SQL expertise
Harder to debug than Standard RLS
Failure Scenarios
Invalid SQL → RLS evaluation fails
Missing user context → No data returned
Permission table misconfiguration → Empty result set
