Sign in Subscribe
Concepts

Just-In-Time Access with Row-Level Security

Andrios Robert

1 min read

The database is wide open, but only for a second. That’s the promise of Just-In-Time Access with Row-Level Security: precision control over who sees what, only when they need it, and for exactly as long as necessary.

Just-In-Time Access (JIT) reduces attack surface by eliminating unused standing privileges. When paired with Row-Level Security (RLS), it goes further. Instead of granting blanket access to an entire table, RLS enforces filters at the data row level. This means every query returns only the permitted set of records, based on runtime conditions and dynamic policy checks.

A JIT + RLS model works like this: access requests are triggered by a workflow, then granted for a short, pre-defined window. Security policies at the database layer ensure that even within that window, a user can only read or update specific records—often determined by attributes like tenant ID, job role, or session metadata. Once the window closes, permissions are revoked automatically. There is nothing lingering for attackers to exploit.

Key benefits:

  • Granular Control: Row-Level Security applies fine-grained filters without rewriting queries or duplicating data tables.
  • Dynamic Enforcement: Combine time-based rules with user attributes to activate access just in time, then shut it down.
  • Auditability: Every grant, query, and revoke can be logged, making compliance and incident response faster and more reliable.
  • Reduced Risk: No standing privileges means minimal exposure in case of credential compromise or lateral movement.

Implementation best practices:

  1. Keep RLS policies in the database to maintain a single source of truth.
  2. Use short TTLs for JIT approvals—minutes, not hours.
  3. Tie conditions to both identity and context (e.g., request origin, task ID).
  4. Automate revocation via the same system that grants access.
  5. Test policies with real-world workloads to verify filters are correctly enforced.

When deployed correctly, Just-In-Time Access with Row-Level Security gives teams a direct handle on access risk without slowing down legitimate work. It replaces broad, static privilege sets with scoped, temporary rights, shrinking the window of opportunity for misuse to almost zero.

You can set up Just-In-Time Access with Row-Level Security right now—see it live in minutes at hoop.dev.