How to enable Standard RLS for an Object ?

1. Overview

Standard RLS allows restricting data access at the row level using a permission object that maps users (or user groups) to allowed values in the target object.

Standard RLS is configuration-driven and does not require writing SQL.

2. Key Concepts

2.1 Target Object

The object on which RLS is applied.

Examples:

• profit_and_loss

• sales_data

• employee_records

2.2 Source Object

The object that represents users or user groups.

Examples:

• users

• roles

• departments

2.3 Permission Object

An object that defines the relationship between:

• Source Object (who is accessing)

• Target Object (what data is accessed)

It contains:

• Reference to source object

• Reference to target object

• Fields used for row-level filtering

3. Preconditions

Before enabling Standard RLS, ensure:

• Target object exists

• Source object exists

• Permission object exists

• Required reference fields are created

• User identity mapping is available (e.g., user_id)

4. Step-by-Step: Enabling Standard RLS

Step 1: Create the Source Object

Create the object that represents the accessing entity.

You can create source object of any object type.

Example:

Fields:

• department_external_id

• department_name

Step 2: Create the Permission Object

Create an object that links the source and target objects.

This object will be strictly of type Permission Object.

This object will contain a lookup field referring to source object.

Example:

Fields:

• citta_user_id

• citta_permission

• department

Step 3: Create the Target Object

Create the object on which data access must be restricted.

In this object create one lookup field referring to the source object.

Example:

Fields:

• employee_external_id

• employee_name

• department -> Lookup field referring to department object.

Step 4: Configure RLS on the Target Object

Enable RLS on the target object and select:

• RLS Type: Standard

• Permission Object: Department_Permissions

• Source Object: Department

Step 5: Save and Activate

Click on Add in the Add Row Security panel, RLS filtering will be activated on the object.

RLS enabled Tag will be visible on the right of the object name.

Once activated:

• All queries on the target object automatically apply row-level filters.

• No SQL changes are required in queries.

5. Example Use Case

Scenario

User should see only their business unit data.

Configuration

• Target Object: Employees

• Source Object: Department

• Permission Object: Department_Permissions

Result:

• User A belongs to department 1, then he will see only department 1 users.

• User B belongs to department 2, then he will see only department 2 users.