Column-level security

Column-level security (CLS) lets you hide sensitive columns without blocking access to the entire table. This is useful for protecting PII, financial data, or other fields that only certain users should see.

How column-level security works

Column scope is defined per table within a connection’s query permissions. When a query runs, Reeflow checks every column reference against the allowed list.

For example, if a table has columns id, name, email, and ssn, but the principal can only access id, name, and email:

SELECT * FROM customers

Becomes:

SELECT customers.id, customers.name, customers.email FROM customers

Column behavior

Query pattern	Behavior
SELECT *	Expands to only allowed columns. Denied columns are hidden silently.
SELECT denied_column	Returns an error. Explicit references to denied columns always fail.
WHERE denied_column = ...	Returns an error.
ORDER BY denied_column	Returns an error.
GROUP BY denied_column	Returns an error.
Expressions and aggregations	Returns an error if any denied column is referenced.
Subqueries	Denied columns are checked recursively.

Union semantics for columns

Column permissions from all roles merge as a union. If any role grants access to a column, the principal can see it. A role with “all columns” access grants visibility to every column in that table, even if other roles restrict specific columns.

Default vs. granular permissions

Permissions can apply broadly or to specific columns:

• All columns: The principal can see every column in the table. Use this for internal roles or tables without sensitive data.
• Specific columns: The principal can only see columns in the allowed list. Use this to hide PII, financial data, or other sensitive fields.

If no column permission is defined for a table, no columns are accessible (deny by default).

Configuring column permissions

Configure column permissions in the Console

Define which columns a role can access for each table. Use 'All columns' for full access or 'Per table' to select specific columns.

1. Navigate to Roles and open a role for editing
2. Expand Connections and enable the Query action
3. Click Configure on a connection
4. Set Columns to All columns or Per table
5. If Per table, expand each table and select the columns to allow

Configuring column permissions in the Console

API implementation

When using the API, column scope is defined in the columns property of query permissions. Use { all: true } for all columns or { only: ['col1', 'col2'] } for specific columns. For syntax details, see the Roles API reference.

Error handling

Scenario	Result
SELECT * with denied columns	Success with filtered results (denied columns silently excluded)
Denied column explicitly referenced	400 Bad Request with “Access denied to column ‘columnName‘“

Related

• Security overview
• Connection and table security
• Row-level security
• User attributes