GitHub user dosubot[bot] added a comment to the discussion: RLS condition inconsistently applied inside dataset metric subqueries
<!-- Greeting --> Hi @mohamedsigservice! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> Here's what I found about how RLS injection works in Superset and the behavior you're experiencing: **How Superset decides where to inject RLS:** Superset uses sqlglot's AST (Abstract Syntax Tree) transformation to recursively detect **all tables** in a query—including those inside subqueries and metric definitions—and applies RLS predicates to each one [[1]](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/sql/parse.py). The injection method depends on the database engine's capabilities [[2]](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/db_engine_specs/base.py#L440-L452): - **AS_PREDICATE**: Appends RLS directly to WHERE/ON clauses - **AS_SUBQUERY**: Wraps each table in a filtered subquery (used when the DB supports subqueries and aliases) **Why metric subqueries are sometimes affected:** When the `ALLOW_ADHOC_SUBQUERY` feature flag is enabled, Superset's `validate_adhoc_subquery()` function parses ad-hoc SQL expressions (including metric definitions) and calls `apply_rls()` on any subqueries it detects [[3]](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/models/helpers.py#L108-L139). This means RLS gets injected into tables at **all nesting levels**. The inconsistency you're seeing likely depends on whether a given metric's SQL contains explicit table references that sqlglot can detect vs. simple column references. **Can you control RLS scope?** Unfortunately, **there is no mechanism to selectively exclude specific subqueries or metrics from RLS injection** [[4]](https://github.com/apache/superset/issues/37695). The recursive table detection applies RLS to every table it finds. Your only levers are: - `RLS_IN_SQLLAB` feature flag (controls whether RLS applies in SQL Lab) [[5]](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py#L517-L519) - Role-based filter types (`REGULAR` vs `BASE`) to control which roles get the filter - `group_key` to OR filters together within a group [[6]](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/connectors/sqla/models.py#L740-L753) **Recommended workarounds for your use case:** 1. **Restructure metrics** so they don't reference tables directly in subqueries—instead, rely on the dataset's main query to pre-filter rows before aggregation. 2. **Use physical datasets** where possible, as virtual datasets with JOINs can trigger double-application of RLS (a known regression in Superset 6) [[7]](https://github.com/apache/superset/pull/38601). 3. **Design your RLS clause** to be safe when applied at any level—e.g., ensure `warehouse_id` exists on all referenced tables, or make the clause a no-op on tables without that column by using conditions that always evaluate to true on irrelevant tables. 4. **Specify explicit dataset IDs** in RLS rules rather than applying them globally, so the clause only targets datasets where it makes sense. This is a known architectural limitation. There's ongoing work related to RLS double-application in virtual datasets ([PR #37395](https://github.com/apache/superset/pull/37395)), but no fine-grained scope control for RLS injection is currently planned. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=reply-with-mention&utm_term=apache%2Fsuperset).* --- Docs are dead. Just use [Dosu](https://dosu.dev?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-tagline&utm_term=apache%2Fsuperset). [](https://app.dosu.dev/response-feedback?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-feedback&utm_term=apache%2Fsuperset&message_id=e15c1286-f240-4c8b-a790-8286e66d9587) [](https://github.dosu.com/apache/superset?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-ask-repo&utm_term=apache%2Fsuperset) [](https://app.dosu.dev/signup?referrer=openSource&source=github-footer&utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-share-team&utm_term=apache%2Fsuperset) GitHub link: https://github.com/apache/superset/discussions/40400#discussioncomment-17039190 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
