Row Level Security policy templates for Supabase - multi-tenant patterns, user isolation, role-based access, and secure-by-default configurations. Use when securing Supabase tables, implementing RLS policies, building multi-tenant AI apps, protecting user data, creating chat/RAG systems, or when user mentions row level security, RLS, Supabase security, tenant isolation, or data access policies.
/plugin marketplace add vanman2024/ai-dev-marketplace/plugin install supabase@ai-dev-marketplaceThis skill is limited to using the following tools:
README.mdVALIDATION.mdexamples/common-patterns.mdexamples/migration-guide.mdexamples/testing-guide.mdscripts/apply-rls-policies.shscripts/audit-rls.shscripts/generate-policy.shscripts/test-rls-policies.shtemplates/ai-chat-policies.sqltemplates/embeddings-policies.sqltemplates/multi-tenant.sqltemplates/role-based-access.sqltemplates/user-isolation.sqlProduction-ready Row Level Security policy templates for Supabase applications, with focus on AI application patterns (multi-tenant chat, RAG systems, user-specific embeddings).
Apply policies to tables:
# Apply user isolation policies
bash scripts/apply-rls-policies.sh user-isolation conversations messages
# Apply multi-tenant policies
bash scripts/apply-rls-policies.sh multi-tenant organizations org_members documents
# Apply AI-specific policies
bash scripts/apply-rls-policies.sh ai-chat conversations messages message_embeddings
Generate custom policy:
# Generate policy from template
bash scripts/generate-policy.sh user-isolation my_table user_id
# Generate with custom column
bash scripts/generate-policy.sh multi-tenant projects organization_id
Test policies work correctly:
# Test all policies on a table
bash scripts/test-rls-policies.sh conversations
# Test specific user context
bash scripts/test-rls-policies.sh messages --user-id "user-uuid-here"
# Test multi-tenant isolation
bash scripts/test-rls-policies.sh documents --org-id "org-uuid-here"
Audit tables for missing RLS:
# Audit all tables in public schema
bash scripts/audit-rls.sh
# Audit specific tables
bash scripts/audit-rls.sh conversations messages embeddings
# Generate audit report
bash scripts/audit-rls.sh --report audit-report.md
Choose the right pattern:
user-isolation.sql: User owns row directly (user_id column)
auth.uid() = user_idmulti-tenant.sql: Organization/team-based isolation
role-based-access.sql: Different permissions per role
auth.jwt() claimsai-chat-policies.sql: Chat/conversation data
embeddings-policies.sql: Vector/embedding data
Example 1: Secure Chat Application
-- Apply chat policies to tables
\i templates/ai-chat-policies.sql
-- Tables: conversations, messages, participants
-- Result: Users only see conversations they participate in
Example 2: Multi-Tenant RAG System
-- Apply organization isolation
\i templates/multi-tenant.sql
-- Apply embedding security
\i templates/embeddings-policies.sql
-- Tables: organizations, documents, document_embeddings
-- Result: Each org only sees their own documents and embeddings
Example 3: Role-Based Admin Panel
-- Apply role-based policies
\i templates/role-based-access.sql
-- Roles: admin (full access), editor (read/write), viewer (read-only)
-- Result: Different permissions based on user role
psql) installedSUPABASE_DB_URL: PostgreSQL connection stringSUPABASE_ANON_KEY: For testing anon accessSUPABASE_SERVICE_KEY: For admin operations(SELECT auth.uid()) for performanceCREATE INDEX idx_table_user_id ON table(user_id);(SELECT auth.uid()) instead of auth.uid().eq('user_id', userId) in client codeTO authenticated to skip anon checksBest Practices:
Use when working with Payload CMS projects (payload.config.ts, collections, fields, hooks, access control, Payload API). Use when debugging validation errors, security issues, relationship queries, transactions, or hook behavior.