zanith

studio / security

Who can see
this row?

The 2am view — permission matrix, the RLS policies actually attached, the role graph, the lock graph. Read from the catalog, not a config file.

zanith studio — securitypostgres · prod
locksrlsrolespermissions
Privilege matrixrole × table · S I U D
roleusersrlsordersrlspaymentsrlsaudit_log
app_userSIUDSIUDSIUD
readonlySIUDSIUDSIUDSIUD
adminSIUDSIUDSIUDSIUD
anon
4 roles · 3 tables with RLSpayments · 2 policies
permission matrix·RLS inspector·role graph·lock graph
security — lock graph● 2 blocked
pid 4821ACCESS EXCLUSIVE · userskill
pid 5102

waiting 1m 12s

pid 5118

waiting 44s

Locks

Who's blocking
whom?

Blocker. A session holding a lock someone else wants — surfaced in red, with its query and age.

Waiter. A query queued behind a blocker, in amber, with how long it's been stuck.

Cancel · kill. pg_cancel_backend or pg_terminate_backend — one click, from the graph.

03 — Row-level security

Deny-all is the failure case nobody catches.

RLS enabled with no policies = nobody can read the table (except the owner). Studio flags it. So is FORCED RLS, which applies even to the owner. The combinations that don't match what you intended are surfaced.

RLS state · per table1 flagged
tableRLSpoliciesstatus
usersON3OK
ordersON2OK
audit_logON0DENY-ALL
productsoff0RLS OFF
sessionsON4FORCED

audit_log has RLS enabled but zero policies. Effectively deny-all to anyone but the owner. Either add a policy or disable RLS — the current state usually means a migration that didn't finish.

04 — Roles + permissions

Who can do what, at a glance.

The permission matrix is a single grid: grantees on rows, tables on columns, privilege chips in the cells. Roles with bypass-rls or superuser are flagged separately — those are the ones to audit first.

permissions · grantee × table

granteeusersordersproductsaudit_log
app_pool
SIU
SIUD
S
SI
ops
SIUD
SIUD
SIUD
SIUD
ci_runner
S
S
SIU
analytics_ro
S
S
S
S

S=SELECT · I=INSERT · U=UPDATE · D=DELETE

roles · highlighted when risky

  • postgresloginsuperbypass-rls
  • opsloginbypass-rls
  • app_poollogin
  • ci_runnerlogin
  • analytics_rologin