cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Lakebase Discussions
Ask questions, share challenges, and connect with others working on Lakebase. From troubleshooting to best practices, this is where conversations happen.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to use Row Level Security on a Sync table in Lakebase

Go to solution
Jeffrey-
New Contributor II

‎02-11-2026 04:45 AM

Hi,

Im trying to test some stuff out with the Databricks Lakebase, i want to connect the Lakebase to our custom frontend application. Using lakebase, since it is postgres based should result in faster query performance. I created a synced table to sync from Unity Catalog to Lakebase (autoscaling), this works well. But now im trying to enable Row Level Security but i cant get this to work. Is this just not supported or am i doing something wrong?

When execute the following SQL command: `ALTER TABLE "my_table" ENABLE ROW LEVEL SECURITY` i get this error: ERROR: must be owner of table my_table (SQLSTATE 42501)

When i check who the owner is, it results in: SELECT tableowner FROM pg_tables WHERE tablename = 'my_table';
databricks_writer_16400 

Thanks in advance!

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
sarahbhord
Databricks Employee
Databricks Employee

‎02-11-2026 11:52 AM

Hi @Jeffrey- 

Short answer: you’re not doing anything wrong—this is expected with Lakebase synced tables. UC row filters/masks don’t apply to Lakebase synced tables yet; RLS must be defined on the Postgres side separately. Synced tables are owned in Postgres by a system role (for example, databricks_writer_16400), not by the UC owner, so ALTER TABLE ... ENABLE ROW LEVEL SECURITY fails with “must be owner.

What to do

  • Create a Postgres VIEW over the synced table and apply RLS to the VIEW, then point your app to the VIEW. This avoids ownership and sync conflicts and is the recommended pattern.
     
  • If you need RLS on the base object, use a non-synced Lakebase table that you own or build a custom pipeline that writes directly to Lakebase so you control ownership/RLS

We expect to add more support cross lakebase <-> UC permissions in the future. 

Let me know if you'd like other work arounds! 

View solution in original post

6 REPLIES 6

Go to solution
sarahbhord
Databricks Employee
Databricks Employee

‎02-11-2026 11:52 AM

Hi @Jeffrey- 

Short answer: you’re not doing anything wrong—this is expected with Lakebase synced tables. UC row filters/masks don’t apply to Lakebase synced tables yet; RLS must be defined on the Postgres side separately. Synced tables are owned in Postgres by a system role (for example, databricks_writer_16400), not by the UC owner, so ALTER TABLE ... ENABLE ROW LEVEL SECURITY fails with “must be owner.

What to do

  • Create a Postgres VIEW over the synced table and apply RLS to the VIEW, then point your app to the VIEW. This avoids ownership and sync conflicts and is the recommended pattern.
     
  • If you need RLS on the base object, use a non-synced Lakebase table that you own or build a custom pipeline that writes directly to Lakebase so you control ownership/RLS

We expect to add more support cross lakebase <-> UC permissions in the future. 

Let me know if you'd like other work arounds! 

Go to solution
emanueol
New Contributor III
In response to sarahbhord

‎02-13-2026 05:40 AM

But isn't supposed UC to be governance layer on too of not only managed catalogs/tables, but also:

  • foreign catalogs - via query federation (jdbc + storage for iceberg)
  • foreign catalogs - via catalog federation
  • delta shares
  • including external tables created via sql in uc managed catalog

?

0 Kudos

Go to solution
sarahbhord
Databricks Employee
Databricks Employee
In response to emanueol

‎02-13-2026 06:20 AM

Hey @emanueol!

Good question - While UC is designed to provide a governance layer across managed tables, external tables, foreign catalogs (via query and catalog federation), and shares, there are architectural limitations when data is accessed outside Databricks compute.

Unity Catalog's row filters and column masks are enforced at query time within Databricks. When you query a Lakebase synced table directly via PostgreSQL (bypassing Databricks SQL warehouses), UC's access controls cannot be enforced because the query execution happens entirely within the PostgreSQL engine. 

We do expect to add more integrated support for permissions between Lakebase and Unity Catalog in the future.

0 Kudos

Go to solution
emanueol
New Contributor III
In response to sarahbhord

‎02-13-2026 06:47 AM

My perception is acessing any type of UC data (managed tables, manager external tables, foreign catalogs, delta shares, legacy hms) VIA Databricks compute, all have all types of UC governance like (row access or column masking policies, tagging etc) right?

 

0 Kudos

Go to solution
sarahbhord
Databricks Employee
Databricks Employee
In response to emanueol

‎02-13-2026 07:26 AM

Thanks @emanueol!

Short answer: mostly yes — when you access data as a Unity Catalog (UC) object on Databricks compute, UC governance applies. There are important nuances by source:

Bottom line: Access data as UC objects to get UC governance. Coverage is strongest on managed/external UC tables, more limited on foreign catalogs, and behaves differently for Delta Sharing. Mind runtime/compute requirements for fine‑grained controls and avoid path-based reads that bypass UC.

 

Go to solution
emanueol
New Contributor III
In response to sarahbhord

‎02-15-2026 12:33 PM

Thanks @sarahbhord let me have time merging your insights with my ongoing matrix excel of possibilities, check attached picture for the answers im trying to complete on my own personal inception to DBC UC catalogs and tables.

Many thanks for all shared links as starting point for me go through and try complete my matrix.

 

 

Preview file
264 KB
Announcements