manage_rls

Manage Row-Level Security (RLS): enable on tables, create/update/delete policies, list, and one-shot user isolation setup. Actions: - "enable": Enable RLS on a table (foundation — no policies yet) - "create_policy": Create a custom RLS policy with USING / WITH CHECK expressions - "update_policy": Atomically update an existing policy (drops and re-creates in one tx) - "create_user_isolation": One-shot — enable RLS, create policy so users see only their rows, install auto-populate trigger - "list": List all RLS policies for the app (and tables_with_rls without policies) - "delete": Delete one policy (if policy_name set) or ALL policies on the table (and disable RLS) Parameters by action: enable: { app_id, action: "enable", table_name } create_policy: { app_id, action: "create_policy", table_name, policy_name, command?, role?, using_expression?, with_check_expression?, restrictive?, user_column? } update_policy: { app_id, action: "update_policy", table_name, policy_name, command?, role?, using_expression?, with_check_expression?, restrictive? } create_user_isolation: { app_id, action: "create_user_isolation", table_name, user_column, public_read_column? } list: { app_id, action: "list" } delete: { app_id, action: "delete", table_name, policy_name? } Built-in roles (assigned automatically by the platform — you never create them): - butterbase_anon: no auth header → "anon" in policies - butterbase_user: valid end-user JWT → "user" in policies; current_user_id() returns user id - butterbase_service: platform API key → automatic full-access bypass; no policy needed create_policy guidance: - command defaults to ALL. SELECT/DELETE: only using_expression. INSERT: only with_check_expression. UPDATE/ALL: both. - role: omit to apply to all roles, or set "anon" / "user" to scope and prevent cross-role policy leaks. - restrictive: true → policy is AND'd with permissive ones; useful for cross-table checks that must always hold. - user_column: pass to install a BEFORE INSERT trigger that auto-fills the column from current_user_id() — without it, clients must include the column in POST bodies or insert is rejected with AUTH_RLS_POLICY_VIOLATION. - For UUID columns, cast: current_user_id()::uuid Cross-table subqueries pitfall: EXISTS(SELECT 1 FROM other_table WHERE ...) inside a policy runs under the SAME user's RLS context. If other_table has user_isolation, the subquery only sees the current user's rows, even for "public" rows. Fix: add a permissive SELECT policy on the referenced table for the rows the subquery needs, OR use "create_user_isolation" with public_read_column to set this up in one call. create_user_isolation does: 1. Enables RLS on the table 2. User isolation policy (rows where user_column = current_user_id()) 3. Auto-populate trigger for user_column on INSERT 4. Auto service bypass policy 5. If public_read_column set: extra SELECT policies for butterbase_user + butterbase_anon allowing reads where that boolean column is true ("own rows + public read" pattern in one call) delete behavior: - With policy_name: removes that single policy (RLS stays enabled) - Without policy_name: removes ALL policies AND disables RLS — table becomes globally accessible Common errors: - VALIDATION_TABLE_NOT_FOUND: create the table with manage_schema (action: "apply") first - VALIDATION_COLUMN_NOT_FOUND: user_column missing from the table - VALIDATION_INVALID_TYPE: user_column must be UUID or TEXT - RLS_TYPE_MISMATCH: cast types in expressions, e.g. current_user_id()::uuid - RLS_INVALID_EXPRESSION: SQL syntax error - RESOURCE_NOT_FOUND: policy doesn't exist (update_policy) — use create_policy first Idempotency: enable, create_policy, update_policy, create_user_isolation, delete — all safe to retry.. It is categorised as a Write tool in the Mcp MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.

Register the MCP server in PolicyLayer and add a rule for manage_rls: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Mcp. Nothing to install.

manage_rls is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.

Yes. Add a rate_limit block to the manage_rls rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.

Set action: deny in the PolicyLayer policy for manage_rls. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.

manage_rls is provided by the MCP server (@butterbase/mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.