• Safegres is expressed as a policy type (e.g.

  AuthzEntityMembership

  ) plus a JSON config (policy

  data

  ).
• The system compiles these policy nodes into enforcement mechanisms (most notably PostgreSQL RLS), but Safegres itself is not SQL.

• TypeScript SDK secure provisioning:

  constructive-security

• Relation provisioning:

  constructive-relations

• Data modules (field generators):*

  constructive-data-modules

  -- defines each Data* nodeType, what fields it creates, and which Authz* policy it pairs with

• current_user_id()

  (conceptually) = the actor's user id.
• In membership resolution tables you'll see this represented as

  actor_id

  .

• For org/group memberships:

  entity_id

  identifies the org/group.
• For app memberships: membership is global, so there is typically no per-row entity_id binding.

membership_type

• 1

  = App

• 2

  = Org

• 3

  = Group

• Every user also has an "org identity".
• Each user automatically has an org-level membership to themselves ("personal org").

owner_id

• "user owns it personally" and
• "org owns it and user is a member"

AuthzEntityMembership

• It does not bind to any field on the row being accessed.
• Therefore it is primarily an app-level gate.

• "Is this request coming from any authenticated/approved user?"
• "Is the actor a super app admin?"
• "Can the actor access a global administrative table that is not entity-scoped?"

• Using

  AuthzMembership(membership_type=2)

  on an entity-scoped table and expecting it to mean "member of this row's org".
  • It does not.
  • It means "member of any org" (or, more precisely, "has at least one org membership row"), which is almost always too broad.

• It binds membership evaluation to an

  entity_field

  on the protected row.
• It is the default choice for entity-scoped resources.

• If your row has an

  entity_id

  ,

  organization_id

  , or

  owner_id

  that should scope access: you almost always want EntityMembership, not Membership.

• Intent: what it's for
• Config: JSON shape (keys)
• Semantics: what it authorizes (in words)
• Use when / Avoid when

Note:

AuthzComposite

exists as an advanced meta-node for boolean trees; see the section at the end.

{ "entity_field": "owner_id" }

{entity_field}

• The row is owned by exactly one user, and ownership is represented directly on the row.

• Ownership can be an organization (or user-as-org) and you want "org members can access." Prefer

  AuthzEntityMembership

  (org scope) instead.

{ "entity_fields": ["sender_id", "receiver_id"] }

• A record has multiple relevant user id columns and any of them confer access.

{ "membership_type": 1 }

{ "membership_type": 1, "permission": "admin_permissions" }

• permission

  (string)

• permissions

  (string[])

• is_admin

  (boolean)

• is_owner

  (boolean)

• App-level admin checks.
• Global feature gating.

• Entity-scoped resources (anything that should be constrained by a row's field).

{ "entity_field": "entity_id", "membership_type": 2 }

• permission

  /

  permissions

• is_admin

  /

  is_owner

{entity_field}

• Org-owned or group-owned resources.

• owner_id

  that may refer to either a user or an org (because users are orgs via personal orgs).

{
  "entity_field": "post_id",
  "membership_type": 2,
  "obj_schema": "public",
  "obj_table": "posts",
  "obj_field": "organization_id"
}

• Protected rows reference another table (FK), and that related table carries

  entity_id

  / org id.

{ "owner_field": "owner_id", "membership_type": 2 }

• permission

  /

  permissions

• is_admin

  /

  is_owner

• Find the entities (orgs/groups) the actor belongs to.
• Find other users who belong to those same entities.
• Allow access when the row's

  {owner_field}

  is one of those peer user ids.

• "People in the same org can see each other's user-owned objects."

• The owner is not directly on the protected row (then use

  AuthzRelatedPeerOwnership

  ).

{
  "entity_field": "message_id",
  "membership_type": 2,
  "obj_schema": "public",
  "obj_table": "messages",
  "obj_field": "sender_id"
}

• obj_ref_field

  (defaults to

  id

  )

• permission

  /

  permissions

• is_admin

  /

  is_owner

• Find peers of the actor (as in

  AuthzPeerOwnership

  ).
• Join the related table where each peer is the related row's owner (

  obj_field

  ).
• Allow access when the protected row's

  {entity_field}

  matches those related rows.

• Protected row points at another object, and that object's owner is what should be peer-visible.

{ "direction": "down", "anchor_field": "owner_id", "entity_field": "entity_id" }

owner_id

• Manager sees subordinate-owned records.
• Subordinate sees manager-owned records.

{ "valid_from_field": "valid_from", "valid_until_field": "valid_until" }

• valid_from_field

  only -> "accessible from this time onward" (open-ended future)

• valid_until_field

  only -> "accessible until this time" (open-ended past)
• Both -> classic time window

valid_until

valid_until IS NULL OR valid_until > now()

• valid_from_inclusive

  (default

  true

  )

• valid_until_inclusive

  (default

  false

  )

• Scheduled content.
• Expiring invites.
• Open-ended "accessible after publish date" (use

  valid_from_field

  only).

Combination guidance:

AuthzTemporal

answers when access is valid, not who has access. On its own it means "anyone can access within the time window." In practice, always combine it with an identity-based policy — either as a restrictive top-level policy (ANDed with a permissive identity policy) or inside an

AuthzComposite

BoolExpr

.

Overlap with

AuthzPublishable

: You could approximate published-content gating with

AuthzTemporal

(e.g.

valid_from_field: "published_at"

with no

valid_until_field

). However,

AuthzPublishable

additionally provides the

is_published

boolean toggle, which lets authors unpublish content independently of time. Use

AuthzPublishable

when you need an explicit on/off switch; use

AuthzTemporal

when access is purely time-driven.

{}

• is_published_field

  (default

  "is_published"

  )

• published_at_field

  (default

  "published_at"

  )

• require_published_at

  (default

  true

  )

require_published_at=true

published_at <= now

• Public content that is only visible after publishing.

Combination guidance:

AuthzPublishable

answers whether content is published, not who can see it. On its own it means "anyone can see published content." In practice, always combine it with an identity-based policy — either as a restrictive top-level policy (ANDed with a permissive identity policy like

AuthzEntityMembership

) or inside an

AuthzComposite

BoolExpr

. See the "Permissive vs Restrictive policies in RLS" section for examples.

Overlap with

AuthzTemporal

: The time component of

AuthzPublishable

(

published_at <= now

) is a subset of what

AuthzTemporal

can express. The key difference is the

is_published

boolean -- a deliberate on/off toggle that

AuthzTemporal

does not provide. If you only need time-window access with no manual toggle,

AuthzTemporal

is sufficient.

Not recommended. This policy relies on a UUID array column rather than a proper foreign-key relationship. It does not scale well and bypasses normal relational integrity. Prefer

AuthzEntityMembership

or

AuthzPeerOwnership

with proper FK-based membership tables when possible.

{ "array_field": "member_ids" }

{array_field}

• Legacy share lists stored as arrays (supported but not recommended for new designs).

Not recommended. Same concern as

AuthzMemberList

-- relies on a UUID array column in a related table rather than proper FK-based membership. Prefer FK-based policies when possible.

{
  "owned_schema": "public",
  "owned_table": "documents",
  "owned_table_key": "member_ids",
  "owned_table_ref_key": "document_id",
  "this_object_key": "id"
}

• Legacy membership lists stored as arrays in a related table (supported but not recommended for new designs).

WARNING:

AuthzAllowAll

is almost never what you want. It grants unconditional access to every authenticated user for the specified privilege. Before using it, ask yourself: "Should literally every authenticated user be able to read/write this data?" If the answer is no (and it usually is), use a scoped policy like

AuthzDirectOwner

or

AuthzEntityMembership

instead.

Especially avoid

AuthzAllowAll

on junction tables. When creating ManyToMany relations with security, match the junction table's policy to the parent tables' policies. If parents use

AuthzDirectOwner

, the junction should too. Using

AuthzAllowAll

on a junction table means any authenticated user can create/delete links between rows they don't own. See the

constructive-relations

skill for junction table security patterns.

{}

• Truly public reference data (e.g., a

  countries

  lookup table that any user should read)
• Public read-only access (combine with restrictive write policies)

• Using

  AuthzAllowAll

  as a "just make it work" default -- this bypasses all access control
• Using

  AuthzAllowAll

  on junction tables when parent tables have scoped policies -- the junction should match the parents
• Using

  AuthzAllowAll

  for both read AND write on any table with user-generated content

{}

• Explicitly blocking a privilege.

AuthzComposite

data

AuthzComposite

BoolExpr

{
  "AuthzEntityMembership": {
    "entity_field": "owner_id",
    "membership_type": "Organization Member"
  }
}

BoolExpr

{
  "BoolExpr": {
    "boolop": "AND_EXPR",
    "args": [
      { "AuthzTemporal": { "valid_from_field": "publish_at" } },
      { "AuthzDirectOwner": { "entity_field": "owner_id" } }
    ]
  }
}

BoolExpr

{
  "BoolExpr": {
    "boolop": "OR_EXPR",
    "args": [
      {
        "AuthzEntityMembership": {
          "entity_field": "owner_id",
          "membership_type": "Organization Member"
        }
      },
      {
        "AuthzMembership": {
          "membership_type": "App Member",
          "permission": "create_invites"
        }
      }
    ]
  }
}

AuthzComposite

• Genuinely nested boolean logic that cannot be expressed with separate top-level policies.
• Mixing AND/OR at different levels (e.g.,

  (A OR B) AND (C OR D)

  ).
• NOT expressions.
• Non-authz conditions in the same expression tree (e.g., column value checks combined with auth checks).

• Permissive (default): Multiple permissive policies on the same table and privilege are ORed together. If any permissive policy passes, the row is accessible.
• Restrictive (

  permissive := false

  ): Restrictive policies are ANDed with the result of permissive policies. All restrictive policies must pass in addition to at least one permissive policy.

Policy 1 (permissive): AuthzDirectOwner { entity_field: "owner_id" }
Policy 2 (permissive): AuthzEntityMembership { entity_field: "organization_id", membership_type: 2, is_admin: true }

Effective rule: row.owner_id = actor OR actor is admin of row.organization_id

Policy 1 (permissive):  AuthzEntityMembership { entity_field: "entity_id", membership_type: 2 }
Policy 2 (restrictive): AuthzTemporal { valid_from_field: "starts_at", valid_until_field: "ends_at" }

Effective rule: actor is member of row.entity_id AND now() is within [starts_at, ends_at)

Policy 1 (permissive):  AuthzDirectOwner { entity_field: "owner_id" }
Policy 2 (permissive):  AuthzEntityMembership { entity_field: "organization_id", membership_type: 2 }
Policy 3 (restrictive): AuthzPublishable {}

Effective rule: (row.owner_id = actor OR actor is member of row.organization_id) AND row.is_published = true

Policy 1 (permissive):  AuthzDirectOwner { entity_field: "owner_id" }
Policy 2 (permissive):  AuthzEntityMembership { entity_field: "organization_id", membership_type: 2 }
Policy 3 (restrictive): AuthzPublishable {}
Policy 4 (restrictive): AuthzTemporal { valid_from_field: "available_from", valid_until_field: "available_until" }

Effective rule: (P1 OR P2) AND R3 AND R4
             = (owner OR org member) AND is_published AND now() in time window

(P1 OR P2 OR ... Pn) AND R1 AND R2 AND ... Rm