Skip to content
Inconvo
Docs
Row-Level Security

Row-Level Security

Implement fine-grained data access controls with context filters and user context.


Row-level security (RLS) ensures that each user only sees the data they’re authorized to access. Inconvo implements RLS through context filters that are applied automatically to every query.

Single-level: Organisation scoping

Section titled “Single-level: Organisation scoping”

The most common pattern — every queryable table is filtered by organisationId. You set a context filter on each table individually:

WHERE orders.organisation_id = userContext.organisationId;
WHERE users.organisation_id = userContext.organisationId;
WHERE products.organisation_id = userContext.organisationId;
const conversation = await inconvo.agents.conversations.create(agentId, {
  userIdentifier: "user_123",
  userContext: {
    organisationId: 1,
  },
});

Multi-level: Organisation + Team

Section titled “Multi-level: Organisation + Team”

Some tables should be scoped to the organisation, while others should be further restricted to a team:

-- Organisation-level tables (orders, products, etc.)
WHERE orders.organisation_id = userContext.organisationId;


-- Team-level tables (projects, tasks, etc.)
WHERE projects.team_id = userContext.teamId;
const conversation = await inconvo.agents.conversations.create(agentId, {
  userIdentifier: "user_123",
  userContext: {
    organisationId: 1,
    teamId: 42,
  },
});

User-level: Personal data

Section titled “User-level: Personal data”

For tables containing personal data (notes, drafts, preferences):

WHERE notes.user_id = userContext.userId;

Mixed scoping

Section titled “Mixed scoping”

You can combine different scoping levels across tables in the same agent:

TableScopeFilter
ordersOrganisationorganisation_id = userContext.organisationId
projectsTeamteam_id = userContext.teamId
notesUseruser_id = userContext.userId
productsOrganisationorganisation_id = userContext.organisationId

The corresponding userContext would include all required fields:

userContext: {
  organisationId: 1,
  teamId: 42,
  userId: "user_123",
}

Testing your RLS setup

Section titled “Testing your RLS setup”
  1. Create two conversations with different userContext values
  2. Ask the same question in both (e.g. “How many orders do we have?”)
  3. Verify each returns only the expected data for their context
  4. Check the traces to confirm context filters were applied

Common mistakes

Section titled “Common mistakes”
MistakeImpactFix
Missing filter on a tableData leaks across tenantsAdd context filters to every Queryable table
Wrong column in filterQueries fail or return wrong dataDouble-check column names match your schema
Forgetting to pass userContext400 Invalid userContext errorAlways pass all required context fields when creating conversations
Copyright © 2026 Ten Development Solutions, Inc. All rights reserved.
Home Documentation Connections API Reference CLI Examples Ask an expert Get Started

Documentation

Getting Started

Introduction Quickstart Connect a Database

Configure

Semantic Model User Context Datasets

Integrate

API Integration Streaming Assistant-UI Vercel AI SDK MCP Servers

Monitor

Monitor

Connections

Databases

PostgreSQL MySQL Microsoft SQL Server Amazon Redshift (beta) BigQuery Supabase

CLI

Overview Model Commands Connection Commands

Examples

Overview Multi-Tenant Setup Computed Columns Row-Level Security

API Reference

Introduction

Agents

Retrieve data summary GET

Conversations

Create conversation POST List conversations GET Retrieve conversation GET Create response POST Retrieve response GET Create feedback POST Update feedback PATCH

Datasets

List dataset files GET Upload dataset file POST Delete dataset file DELETE

MCP Servers

Create tenant POST Delete tenant POST

Streaming

response.created response.progress response.completed