v.22.3Improvement

Change Row Policies to Enhance Usability in ClickHouse

Published: November 25, 2025

Change restrictive row policies a bit to make them an easier alternative to permissive policies in easy cases. If for a particular table only restrictive policies exist (without permissive policies) users will be able to see some rows. Also SHOW CREATE ROW POLICY will always show AS permissive or AS restrictive in row policy's definition. #34596 (Vitaly Baranov).

ClickHouse improves restrictive row policies to act as a simpler alternative to permissive policies when only restrictive policies exist on a table. The SHOW CREATE ROW POLICY command now explicitly indicates whether a row policy is AS permissive or AS restrictive.

Why it matters

This feature addresses the complexity of managing row-level security by enabling restrictive policies to allow users to see some rows in scenarios where no permissive policies are defined. It simplifies access control management and makes policy behavior more transparent and consistent.

How to use it

Define restrictive row policies as usual on tables without permissive policies. The system will automatically allow users to see rows according to restrictive policy logic. Use SHOW CREATE ROW POLICY to view the exact policy definition including whether it is restrictive or permissive.

Related resources

Pull Request #34596