Guides
Managing security settings / Row-level security
Control who can access, read, write, or delete records in your app’s data entities using Row-Level Security (RLS) rules. Configure access for each entity to ensure data is only available to authorized users.
Secure data handling
Use this when:
- Sensitive or private data should not be visible to all users.
-
You want to avoid exposing unintended records through APIs, exports, or reports.
Example Use Cases:
- A fitness app where each user should only see his training sessions.
- A company dashboard where employees can only see their own performance metrics
User-specific data views
Use this when:
- You want to personalize the app experience based on user role, department, or ownership.
- Different users or roles should see different subsets of data.
-
You’re building multi-tenant applications where users should not see other tenants’ data.
Example Use Cases:
- A CRM where sales reps only see leads assigned to them.
- A school app where teachers can only view students in their classes.
- An admin panel where different roles (admin, editor, viewer) have different data access levels.
Accessing security settings
1
Navigate to app security
Open your app dashboard and go to the “Security” tab.
2
Access your security dashboard
- In the security dashboard you can see a list of your application data entities
- Each entity shows its current security status: Public or Restricted.
3
Edit your security rules
- Click on an entity to view or update its security rules.
Security modes
- Public access (no restrictions) - All users can access all records in the entity.
- Restricted access - Only users matching defined rules can access records.
Rule types
When editing an entity’s security, you can define rules for:
- Read access
- Write/delete access
-
No Restrictions
All users can access records. -
Creator Only
Users can only access records they created. -
Entity-User field comparison
Compare a field in the entity (e.g., ‘Organization’) with a user property (e.g., user’s ‘Organization’)Example: Only users whose department matches the record’s department can access it. -
User property check
Restrict access based on a user property like ‘role’ or ‘email’.Example: Only users with the role “admin” can access records.
Not sure where to start? Use the security check feature
If you’re unsure which entities need security rules, or want to double-check your setup, you can use the built-in security check feature in your dashboard. It automatically checks for:- Public or overly open data (missing RLS rules)
- Unsafe backend function exposure
- Secrets left in frontend code
You’ll see a list of potential issues. Click Apply Fixes to instantly apply recommended RLS rules, or review and adjust them manually.
Want a walkthrough? See the full security check guide
How to add or edit Rules
1
Choose access type
Switch between Read Access and Write/Delete Access tabs.
2
Add rule
Click “Add Rule”, select a rule type, and complete the required fields.
3
Multiple rules
- Add multiple rules if needed.
- Access is granted if any rule matches (OR logic).
4
Custom write/delete rules
- By default, these inherit from read access.
- Click “Create Custom Write Rules” to define separate rules.
5
Remove rules
- You can click Remove All Rules to remove your entity security rules.
- Use “Remove All Rules” to make the entity public again.
Generated rules (JSON)
All rules are shown as read-only JSON for transparency.Example scenarios
- Public Entity: No rules set — all users have access.
- Creator Only: Add a rule so users can only see their own records.
-
Department-Based Access: Match the record’s
field to the user’s.
-
Admin-only access: Use a role check — only users with
have access.
Visual summary
- Each entity card displays a summary of its current rules.
- Icons and short descriptions indicate Read and Write/Delete settings.
Tips
- You must create entities before configuring security.
- Changes are saved per entity.
- Always click “Save security rules” after editing.