Batch RLS Management API

API reference for bulk updating Row-Level Security (RLS) permissions across entities of a given type

apirlspermissionsdeveloper

The batch RLS endpoint allows project administrators to update Row-Level Security (RLS) permissions across multiple entities of a given type in a single operation.

Endpoint

POST /api/projects/{projectId}/types/{typeId}/batch-rls

Required permission: RLS_UPDATE_PERMISSION on the project.

Request body

interface BatchRlsRequest {
  action: "setPermission" | "removePermission" | "addUserId" | "removeUserId" | "resetToDefault";
  operations?: ("read" | "update" | "delete")[];  // required for all actions except resetToDefault
  permission?: string;   // required for setPermission / removePermission
  userId?: string;       // required for addUserId / removeUserId
  filter?: {
    rlsOperation?: "read" | "update" | "delete";
    rlsPermission?: string;
    rlsUserId?: string;
  };
  dryRun?: boolean;      // preview matching entities without modifying
}

Actions

Action Description Required fields
setPermission Set the permission string on specified RLS operations operations, permission
removePermission Remove the permission from specified RLS operations operations, permission
addUserId Add a user ID to the allowed users list on specified operations operations, userId
removeUserId Remove a user ID from the allowed users list on specified operations operations, userId
resetToDefault Reset all matching entities to the type's defaultAccess configuration

The permission field should be provided without the project prefix — the API adds {projectId}:: automatically. If the permission already contains ::, it is used as-is.

Dry run (preview)

Set dryRun: true to preview how many entities match the filter without modifying anything.

// Request
{
  "action": "setPermission",
  "operations": ["read"],
  "permission": "viewer",
  "dryRun": true
}

// Response
{
  "matchingCount": 42,
  "action": "setPermission",
  "operations": ["read"],
  "dryRun": true
}

Filtering

Use the filter object to target a subset of entities:

  • rlsOperation — match entities that have a specific RLS operation configured (e.g. "read").
  • rlsPermission — match entities with a specific permission value. When combined with rlsOperation, matches that exact operation; otherwise matches any operation.
  • rlsUserId — match entities that include a specific user ID. Scoping follows the same rules as rlsPermission.

Without a filter, the operation applies to all non-deleted entities of the type.

Response

Dry run

{
  "matchingCount": 42,
  "action": "setPermission",
  "operations": ["read"],
  "dryRun": true
}

Execute

{
  "matchingCount": 42,
  "modifiedCount": 42,
  "action": "setPermission",
  "operations": ["read"],
  "dryRun": false
}

Error responses

Status Condition
400 Missing or invalid action, operations, permission, or userId
400 Type has no defaultAccess configured (for resetToDefault)
404 Type not found in the specified project

UI

The batch RLS management tool is available in the backoffice under Settings → Types → [Type] → Manage Access tab. The UI enforces a two-step workflow: users must first Preview (dry run) before they can Apply Changes.

Markdown | llm.txt