Implementing row-level security in modern proptech
A practical guide to using Supabase RLS to isolate tenant data while keeping teams productive.
By Lukas Romero
Row-level security (RLS) is the backbone of Greenhaus’ isolation strategy. Each SQL policy uses a mix of role claims, asset attributes, and contract metadata to determine visibility.
Why RLS matters
Property management involves sensitive personal and financial data. RLS ensures that only authorized eyes see resident PII, investor statements, or maintenance photos.
Policy patterns
We rely on a few reusable patterns:
- Portfolio scoped:
portfolio_id = auth.jwt()->>'portfolio' - Asset class filters: ensures commercial teams don’t see residential records
- Time-boxed access: temporary contractors lose access automatically after their project ends
Testing strategies
Every policy ships with regression tests using pgTAP and our synthetic data generator. CI validates that expected personas retain access while outsiders are denied.
Beyond the database
RLS ties into the API gateway, GraphQL resolvers, and search indexes. Requests include signed JWTs that mirror the same claims the database expects, creating defense-in-depth.