Title: Batch RLS Management API

Description: API reference for bulk updating Row-Level Security (RLS) permissions across entities of a given type

Tags: api, rls, permissions, developer

---

The batch RLS endpoint allows project administrators to update Row-Level Security (RLS) permissions across multiple entities of a given type in a single operation.

Endpoint

POST /api/projects/{projectId}/types/{typeId}/batch-rls

Required permission: RLSUPDATEPERMISSION on the project.

Request body

interface BatchRlsRequest {
  action: "setPermission" | "removePermission" | "addUserId" | "removeUserId" | "resetToDefault";
  operations?: ("read" | "update" | "delete")[];  // required for all actions except resetToDefault
  permission?: string;   // required for setPermission / removePermission
  userId?: string;       // required for addUserId / removeUserId
  filter?: {
    rlsOperation?: "read" | "update" | "delete";
    rlsPermission?: string;
    rlsUserId?: string;
  };
  dryRun?: boolean;      // preview matching entities without modifying
}

Actions

| Action | Description | Required fields |
|--------|-------------|-----------------|
| setPermission | Set the permission string on specified RLS operations | operations, permission |
| removePermission | Remove the permission from specified RLS operations | operations, permission |
| addUserId | Add a user ID to the allowed users list on specified operations | operations, userId |
| removeUserId | Remove a user ID from the allowed users list on specified operations | operations, userId |
| resetToDefault | Reset all matching entities to the type's defaultAccess configuration | — |

The permission field should be provided without the project prefix — the API adds {projectId}:: automatically. If the permission already contains ::, it is used as-is.

Dry run (preview)

Set dryRun: true to preview how many entities match the filter without modifying anything.

// Request
{
  "action": "setPermission",
  "operations": ["read"],
  "permission": "viewer",
  "dryRun": true
}

// Response
{
  "matchingCount": 42,
  "action": "setPermission",
  "operations": ["read"],
  "dryRun": true
}

Filtering

Use the filter object to target a subset of entities:
rlsOperation — match entities that have a specific RLS operation configured (e.g. "read").
rlsPermission — match entities with a specific permission value. When combined with rlsOperation, matches that exact operation; otherwise matches any operation.
rlsUserId — match entities that include a specific user ID. Scoping follows the same rules as rlsPermission.

Without a filter, the operation applies to all non-deleted entities of the type.

Response

Dry run

{
  "matchingCount": 42,
  "action": "setPermission",
  "operations": ["read"],
  "dryRun": true
}

Execute

{
  "matchingCount": 42,
  "modifiedCount": 42,
  "action": "setPermission",
  "operations": ["read"],
  "dryRun": false
}

Error responses

| Status | Condition |
|--------|-----------|
| 400 | Missing or invalid action, operations, permission, or userId |
| 400 | Type has no defaultAccess configured (for resetToDefault) |
| 404 | Type not found in the specified project |

UI

The batch RLS management tool is available in the backoffice under Settings → Types → [Type] → Manage Access tab. The UI enforces a two-step workflow: users must first Preview (dry run) before they can Apply Changes.