Read rules
Read rules determine which rows are visible.
They are evaluated whenever data is accessed and operate at row level.
How evaluation works
- Classification is evaluated
- Rule checks When True condition
- If the rule applies → it produces a decision
| Classification | When True | Rule applies |
|---|---|---|
| true | checked | yes |
| true | unchecked | no |
| false | checked | no |
| false | unchecked | yes |
Outcome
A read rule results in:
- Allow → row is visible
- Deny → row is hidden
If any deny rule applies, the row is hidden.
Important behavior
If a row is denied:
- it cannot be viewed
- it cannot be counted
- it behaves as if it does not exist
Role-based scoping
Rules can be scoped to roles:
- Apply only to selected roles
- Exclude selected roles
- Apply globally if no roles are specified
Role selection determines whether the rule is evaluated, not how it behaves.
Evaluation context
Permissions are evaluated using the current context:
- active user
- current row
- related rows
- current time
Because classifications are dynamic, any data change immediately affects:
- visibility
- edit permissions
Related resources
Understand the concept