Row-Level Security (RLS) is a fine-grained access control mechanism that restricts which rows of data a principal can access within a BigQuery table. This is implemented using Row Access Policies (RAPs).
A Row Access Policy is a table-level object that filters rows at query time based on two components:
- A Grantee List: the Google Principals (users, Google Groups, etc., to whom the Policy applies.
- A Filter Expression: an SQL predicate that determines which rows are visible to the granted principals.
Row Access Policies provide dynamic, identity-aware filtering without modifying the underlying data, ensuring that users only see rows they are authorized to access.
If a user belongs to multiple groups, each with a different Row Access Policy on the same table, BigQuery applies union (OR) logic — the user sees all rows permitted by any of the applicable Policies. This aligns with PlainID's standard permissive combining algorithm, so no additional merge logic is required.
Google BigQuery Row-Level Policy in PlainID
Row-Level Policies in PlainID can be viewed in Native mode.
To view a Row-Level Policy in Native:
- In the Policies Workspace, select the relevant Policy connected to Google BigQuery.
- On the top navigation bar, click Native.
- The Native Code panel displays the discovered Google BigQuery Policy divided into relevant sections such as Policy Core Logic and Identity links.
In Learn Mode, the Native view is read-only. You can view the native Row-Level Policy structure but cannot make changes.
Known Limitations
| Limitation | Details |
|---|---|
| Native Mode | This POP can only be used in Native Mode. |
| Policy Edits | Policies edited in the Native tab under Learn Mode are not intended behavior; users should refrain from making Policy changes in their Platform until Manage Mode is released. |