-- ============================================ -- TEMPLATE-SAAS: Sales Row Level Security -- Version: 1.0.0 -- Module: SAAS-018 -- ============================================ -- ============================================ -- Enable RLS on all tables -- ============================================ ALTER TABLE sales.pipeline_stages ENABLE ROW LEVEL SECURITY; ALTER TABLE sales.leads ENABLE ROW LEVEL SECURITY; ALTER TABLE sales.opportunities ENABLE ROW LEVEL SECURITY; ALTER TABLE sales.activities ENABLE ROW LEVEL SECURITY; -- ============================================ -- Pipeline Stages Policies -- ============================================ CREATE POLICY pipeline_stages_tenant_isolation ON sales.pipeline_stages USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID); CREATE POLICY pipeline_stages_insert ON sales.pipeline_stages FOR INSERT WITH CHECK (tenant_id = current_setting('app.current_tenant_id', true)::UUID); CREATE POLICY pipeline_stages_update ON sales.pipeline_stages FOR UPDATE USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID); CREATE POLICY pipeline_stages_delete ON sales.pipeline_stages FOR DELETE USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID); -- ============================================ -- Leads Policies -- ============================================ CREATE POLICY leads_tenant_isolation ON sales.leads USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID); CREATE POLICY leads_insert ON sales.leads FOR INSERT WITH CHECK (tenant_id = current_setting('app.current_tenant_id', true)::UUID); CREATE POLICY leads_update ON sales.leads FOR UPDATE USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID); CREATE POLICY leads_delete ON sales.leads FOR DELETE USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID); -- ============================================ -- Opportunities Policies -- ============================================ CREATE POLICY opportunities_tenant_isolation ON sales.opportunities USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID); CREATE POLICY opportunities_insert ON sales.opportunities FOR INSERT WITH CHECK (tenant_id = current_setting('app.current_tenant_id', true)::UUID); CREATE POLICY opportunities_update ON sales.opportunities FOR UPDATE USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID); CREATE POLICY opportunities_delete ON sales.opportunities FOR DELETE USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID); -- ============================================ -- Activities Policies -- ============================================ CREATE POLICY activities_tenant_isolation ON sales.activities USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID); CREATE POLICY activities_insert ON sales.activities FOR INSERT WITH CHECK (tenant_id = current_setting('app.current_tenant_id', true)::UUID); CREATE POLICY activities_update ON sales.activities FOR UPDATE USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID); CREATE POLICY activities_delete ON sales.activities FOR DELETE USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID); -- ============================================ -- Bypass policies for service role (optional) -- ============================================ -- These allow backend services with elevated privileges to bypass RLS -- when needed (e.g., for admin operations, reporting, etc.) -- CREATE POLICY pipeline_stages_service_bypass ON sales.pipeline_stages -- FOR ALL -- TO template_saas_service -- USING (true); -- CREATE POLICY leads_service_bypass ON sales.leads -- FOR ALL -- TO template_saas_service -- USING (true); -- CREATE POLICY opportunities_service_bypass ON sales.opportunities -- FOR ALL -- TO template_saas_service -- USING (true); -- CREATE POLICY activities_service_bypass ON sales.activities -- FOR ALL -- TO template_saas_service -- USING (true);