Setting up row-level security
This section describes how to configure Row-Level Security (RLS) for a semantic model in Kyvos to enforce fine-grained data access control. RLS enables you to define row-level conditions that restrict data visibility based on user or group attributes, ensuring that users see only authorized data when querying semantic models.
Starting with Kyvos 2026.2, you can specify custom attributes in Azure Active Directory (Azure AD) for row-level security (RLS) during semantic model processing.
To set up row-level security (RLS), perform the following steps.
From the Toolbox, click Semantic Models.
Select the semantic model name from the list and click the Process tab if needed.
From Properties, scroll down to Data Security and choose one of the following as an endpoint source:
Kyvos Internal
CustomRLS: Displayed only if the corresponding JAR files are uploaded through Custom Data Security Configurations on the Kyvos Manager.
Select an endpoint.
Click the Define Rule and Mapping link and select Groups or Users and select the groups or users you want to use or use Search to find them.
For Rules, click Allow All Columns, Allow All Rows, or click the Plus sign next to Rules to add a custom rule.
On the Add Rule dialog, provide Rule Name and Description.
From the Row Level area, click the field link and select the field on which you want to apply the RLS.
Select the condition (And / Or) using the and link.
Click the value link, and the dialog box is displayed where you can search or select the values on which you can apply the RLS. The available choices vary depending on the data you are using.
Click Add. The RLS is applied to the selected values. you can also apply RLS on the Key value when the Hierarchy/attribute contains description (display field).
Click Row Level, and then select the click the field link, and then select the field on which you want to apply the RLS security on key field.
The RLS on Key field is applied to the values.
Read more: