/supabase-tutorials

How to restrict access by role in Supabase RLS?

Learn how to restrict access by role in Supabase using RLS. Follow our step-by-step guide on project setup, schema design, policy creation, and app integration.

Book a free  consultation
Matt Graham, CEO of Rapid Developers

Book a call with an Expert

Starting a new venture? Need to upgrade your web app? RapidDev builds application with your growth in mind.

Book a free No-Code consultation

How to restrict access by role in Supabase RLS?

 

Step 1: Set Up a Supabase Project

 

To start with Supabase and implement role-based access control using Row Level Security (RLS), you'll first need to set up a Supabase project:

  • Sign up for a Supabase account at https://supabase.io.
  • Create a new project.
  • Take note of your API keys and database credentials for later use.

 

Step 2: Define Your Database Schema

 

Before implementing RLS, you need a well-defined database schema. For instance, suppose we have a simple users table with the following fields:

  • id: The primary key of the user.
  • email: The user's email address.
  • role: The role assigned to the user (e.g., "admin", "editor", "viewer").

Create the users table by navigating to the SQL Editor and running the following SQL:


CREATE TABLE users (
  id SERIAL PRIMARY KEY,
  email VARCHAR(255) UNIQUE NOT NULL,
  role VARCHAR(50) NOT NULL CHECK (role IN ('admin', 'editor', 'viewer'))
);

 

Step 3: Enable Row Level Security (RLS)

 

After defining your schema, the next step is to enable RLS on your table. This feature allows you to define policies that restrict table access based on custom criteria.

In the Supabase dashboard, navigate to your database table, and execute the following SQL command in the SQL Editor to enable RLS for the users table:


ALTER TABLE users ENABLE ROW LEVEL SECURITY;

 

Step 4: Create Role-Based Access Policies

 

Now, define access policies based on user roles. Here is how you can create policies for different roles. Execute the following SQL commands in the SQL Editor:

  • Allow "admin" to select all rows:

CREATE POLICY "Admins can read all data"
  ON users FOR SELECT
  USING (role = 'admin');
  • Allow "editor" to update rows with certain conditions:

CREATE POLICY "Editors can update their data"
  ON users FOR UPDATE
  USING (role = 'editor' AND auth.uid() = id);
  • Allow "viewer" to only select rows related to them:

CREATE POLICY "Viewers can read their data"
  ON users FOR SELECT
  USING (role = 'viewer' AND auth.uid() = id);

Replace auth.uid() with the correct function or variable that establishes the link between your application authentication and the database user identifier.

 

Step 5: Test Your RLS Policies

 

After creating your RLS policies, it's imperative to test them to ensure they work as expected. You can do this directly through SQL queries in the Supabase dashboard or by integrating them into your application.

  • Test with sample queries:

-- As an admin user
SELECT \* FROM users; -- should return all rows

-- As an editor user
UPDATE users SET email = '[email protected]' WHERE id = ; -- only updates their row

-- As a viewer user
SELECT \* FROM users WHERE id = ; -- should return only their row

Ensure you replace <editor_id> and <viewer_id> with actual test user IDs that you want to test against.

 

Step 6: Integrate with Your Application

 

Finally, integrate these RLS policies with your application. Ensure your application sets the correct session variables or tokens that map to the roles defined in your policies.

For instance, you might set JWT claims during authentication that reflect the user's role and use these claims to interact with the Supabase API.

 

Now you've set up a detailed role-based access control with RLS in Supabase! Make sure to further refine policies as needed based on your real-world requirements and test thoroughly before going live.

Want to explore opportunities to work with us?

Connect with our team to unlock the full potential of no-code solutions with a no-commitment consultation!

Book a Free Consultation

Client trust and success are our top priorities

When it comes to serving you, we sweat the little things. That’s why our work makes a big impact.

Rapid Dev was an exceptional project management organization and the best development collaborators I've had the pleasure of working with. They do complex work on extremely fast timelines and effectively manage the testing and pre-launch process to deliver the best possible product. I'm extremely impressed with their execution ability.

CPO, Praction - Arkady Sokolov

May 2, 2023

Working with Matt was comparable to having another co-founder on the team, but without the commitment or cost. He has a strategic mindset and willing to change the scope of the project in real time based on the needs of the client. A true strategic thought partner!

Co-Founder, Arc - Donald Muir

Dec 27, 2022

Rapid Dev are 10/10, excellent communicators - the best I've ever encountered in the tech dev space. They always go the extra mile, they genuinely care, they respond quickly, they're flexible, adaptable and their enthusiasm is amazing.

Co-CEO, Grantify - Mat Westergreen-Thorne

Oct 15, 2022

Rapid Dev is an excellent developer for no-code and low-code solutions.
We’ve had great success since launching the platform in November 2023. In a few months, we’ve gained over 1,000 new active users. We’ve also secured several dozen bookings on the platform and seen about 70% new user month-over-month growth since the launch.

Co-Founder, Church Real Estate Marketplace - Emmanuel Brown

May 1, 2024 

Matt’s dedication to executing our vision and his commitment to the project deadline were impressive. 
This was such a specific project, and Matt really delivered. We worked with a really fast turnaround, and he always delivered. The site was a perfect prop for us!

Production Manager, Media Production Company - Samantha Fekete

Sep 23, 2022