Row-Level Security sucks. Can we make it usable?

Row-Level Security (RLS) in PostgreSQL is awesome because it lets you isolate each user or tenant's data, lock it down, and default to "deny access." This makes RLS a powerful tool for enforcing security in multi-tenant applications. However, the RLS implementation in Postgres also has drawbacks; it makes assumptions about your application's design that may not be applicable in many cases.

If your application wasn’t developed with RLS in mind and uses a single application user to connect to the database, using RLS meaningfully may seem impossible as it can require significant reworking of your app’s structure and logic, leaving many developers unsure of how to proceed.

In this talk, we’ll look at practical ways to roll out RLS that allow you to take advantage of this powerful feature in the real world, even if your application’s architecture wasn't designed with it in mind. We’ll explore strategies to make the RLS feature work with existing setups and give actionable steps to make RLS work without requiring an extensive overhaul to the application.