studio / security
Who can see
this row?
The 2am view — permission matrix, the RLS policies actually attached, the role graph, the lock graph. Read from the catalog, not a config file.
| role | usersrls | ordersrls | paymentsrls | audit_log |
|---|---|---|---|---|
| app_user | SIUD | SIUD | SIUD | — |
| readonly | SIUD | SIUD | SIUD | SIUD |
| admin | SIUD | SIUD | SIUD | SIUD |
| anon | — | — | — | — |
waiting 1m 12s
waiting 44s
Locks
Who's blocking
whom?
Blocker. A session holding a lock someone else wants — surfaced in red, with its query and age.
Waiter. A query queued behind a blocker, in amber, with how long it's been stuck.
Cancel · kill. pg_cancel_backend or pg_terminate_backend — one click, from the graph.
03 — Row-level security
Deny-all is the failure case nobody catches.
RLS enabled with no policies = nobody can read the table (except the owner). Studio flags it. So is FORCED RLS, which applies even to the owner. The combinations that don't match what you intended are surfaced.
| table | RLS | policies | status |
|---|---|---|---|
| users | ON | 3 | OK |
| orders | ON | 2 | OK |
| audit_log | ON | 0 | DENY-ALL |
| products | off | 0 | RLS OFF |
| sessions | ON | 4 | FORCED |
audit_log has RLS enabled but zero policies. Effectively deny-all to anyone but the owner. Either add a policy or disable RLS — the current state usually means a migration that didn't finish.
04 — Roles + permissions
Who can do what, at a glance.
The permission matrix is a single grid: grantees on rows, tables on columns, privilege chips in the cells. Roles with bypass-rls or superuser are flagged separately — those are the ones to audit first.
permissions · grantee × table
| grantee | users | orders | products | audit_log |
|---|---|---|---|---|
| app_pool | SIU | SIUD | S | SI |
| ops | SIUD | SIUD | SIUD | SIUD |
| ci_runner | S | S | SIU | — |
| analytics_ro | S | S | S | S |
S=SELECT · I=INSERT · U=UPDATE · D=DELETE
roles · highlighted when risky
- postgresloginsuperbypass-rls
- opslogin—bypass-rls
- app_poollogin——
- ci_runnerlogin——
- analytics_rologin——
Security touches every surface.
Launch + auth
The other half of security — who can open Studio at all, and in what mode.
/studio/launchSQL playground
Test a policy as a role — run a SELECT and watch RLS filter it.
/studio/sqlTables surface
Sensitive-column masking lives here — secrets hidden by default.
/studio/tablesCatalog
Policies, roles, and grants are catalog objects — browse them all.
/studio/catalogWorkspace level
Compare roles and policies across connections from up here.
/studio/workspaceStudio overview
The system, the contrast, the bundled architecture.
/studio