/
SQL Expression‑Based Row‑Level Security

SQL Expression‑Based Row‑Level Security

SQL Expression-Based Row-Level Security (RLS) enables users to define custom rule expressions that operate on user-specific columns to enforce data access restrictions.

This framework ensures that users can access only the data rows that correspond to their authorized divisions, job functions, organizational units, or signature categories. Access control is enforced through automated bitmap filtering.

Bitmap security is a security mechanism that represents permissions using numeric bitmap values. Bitwise operations (AND/OR) are applied to determine whether a user has access to specific data rows.

To enable this feature, a custom RLS module artifact is provided as a JAR file. The module integrates with Kyvos using the RLS Callback functionality.

Users must upload a configuration JSON file through the Kyvos Manager interface. This JSON file defines:

  • RLS rule expressions

  • Column mappings

  • Security logic

  • Additional configuration details required to enable SQL expression-based RLS

Configuration Steps

To configure SQL expression-based Row-Level Security, perform the following steps:

  1. In Kyvos Manager, navigate to Security > Data Security. On the page, upload the provided Callback JAR file. See the Data Security section for more details about Callback Jar.

    image-20260224-080244.png

     

  2. Enter the Callback Class Name as com.callback.rls.RLSCallBackProvider

  3. Enter an aliás name for this rule. For example, RLSCallback.

  4. To associate the Callback JAR with the semantic model, open the required semantic model.

  5. Go to semantic model Design > Properties > Data Security.

    image-20260224-081405.png

     

  6. Select the uploaded callback JAR from the list.

  7. Create the required Row level security table in BigQuery.

  8. Go to Kyvos Manager > Manage Configuration Files > kyvos/olapengine/conf/RLSConfiguration.json. For more details on how to configure the RLSConfiguration.json file, see the Managing Configuration Files section.

    image-20260224-080045.png

     

  9. Run the Update Snapshots process to apply the changes.

    image-20260224-081631.png

     

  10. Restart the BI Server twice to ensure that the RLS configuration is fully applied.

  11. Run queries in Kyvos to verify that RLS rules are correctly enforced and that users can access only authorized data rows.

 

Copyright Kyvos, Inc. 2025. All rights reserved.