Access Filters
Access Filters provide row-level access control in SignalSmith. An access filter defines a SQL filter condition that is automatically applied to all queries when a member of a specific group accesses data. This ensures that team members only see the data they are authorized to see — without requiring separate models or warehouse views.
How Access Filters Work
When an access filter is active for a user (via their group membership), SignalSmith automatically appends the access filter’s filter condition to every query that runs on behalf of that user. This applies to:
- Model previews — SQL query results in the model editor
- Audience builder — Filter counts, estimation, and preview
- Trait evaluation — Trait computation scoped to the access filter
- Sync execution — Only rows matching the access filter are synced to destinations
The filtering is transparent and automatic. Users do not need to add WHERE clauses to their queries — the access filter condition is injected by the platform.
Use Cases
| Use Case | Access Filter Condition | Assigned To |
|---|---|---|
| Regional data access | region = 'EMEA' | EMEA team group |
| Country-specific compliance | country_code = 'DE' | Germany operations group |
| Partner data isolation | partner_id = 'partner_abc' | Partner ABC group |
| Business unit separation | business_unit = 'enterprise' | Enterprise sales group |
| Test data isolation | environment = 'staging' | QA team group |
| Customer tier restriction | tier IN ('gold', 'platinum') | Premium support group |
Creating an Access Filter
Via the UI
- Navigate to Govern > Access Filters in the sidebar
- Click Add Access Filter
- Fill in the access filter configuration:
| Field | Description | Example |
|---|---|---|
| Name | Descriptive name for the access filter | ”EMEA Region Only” |
| Description | Explanation of what the access filter restricts | ”Limits data access to EMEA region customers” |
| Category | Organizational grouping for access filters | ”Regional”, “Partner”, “Compliance” |
| Filter Condition | SQL WHERE clause condition | region = 'EMEA' |
| Source Column | The column the filter applies to | region |
- Click Save
Via the API
curl -X POST https://your-workspace.signalsmith.dev/api/v1/subsets \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "EMEA Region Only",
"description": "Limits data access to EMEA region customers",
"category": "Regional",
"filter_condition": "region = '\''EMEA'\''",
"source_column": "region",
"enabled": true
}'Filter Conditions
Access filter conditions are SQL WHERE clause fragments. They support standard SQL operators and syntax.
Simple Equality
region = 'EMEA'IN Lists
country_code IN ('US', 'CA', 'MX')Range Conditions
created_at >= '2024-01-01'Combined Conditions
region = 'EMEA' AND customer_type = 'enterprise'NULL Checks
partner_id IS NOT NULLLIKE Patterns
email LIKE '%@mycompany.com'Important Notes on Filter Conditions
- Filter conditions must reference columns that exist in the models being queried. If a model’s SQL output does not include the access filter’s filter column, the access filter cannot be applied and the query will fail with an error.
- Conditions are appended as
ANDclauses to existing queries. They do not replace existing WHERE conditions. - Avoid complex subqueries in filter conditions. Simple equality, IN, range, and LIKE conditions perform best.
- String values must be properly quoted with single quotes within the condition.
Categories
Categories are organizational labels for access filters. They help you group related access filters for easier management and determine how multiple access filters interact.
| Category | Example Access Filters | Description |
|---|---|---|
| Regional | North America, EMEA, APAC | Restrict data by geography |
| Partner | Partner A, Partner B | Isolate data for external partners |
| Compliance | GDPR, CCPA, HIPAA | Enforce regulatory requirements |
| Business Unit | Marketing, Sales, Support | Separate data by internal teams |
| Testing | Staging, QA | Isolate test or staging data |
Categories are free-form text — you define whatever categories make sense for your organization.
How Categories Affect Access Filter Combination
When a group has multiple access filters from the same category, they are combined with OR logic (the user sees data matching any of the access filters in that category).
When a group has access filters from different categories, the categories are combined with AND logic (the user sees data matching access filters from all categories).
Example:
A group has:
- “EMEA” and “APAC” access filters in the Regional category
- “Marketing” access filter in the Business Unit category
The effective filter is:
(region = 'EMEA' OR region = 'APAC')
AND (business_unit = 'marketing')This means the user sees EMEA and APAC marketing data only.
Assigning Access Filters to Groups
Access filters are assigned to groups, not individual users. This makes management scalable — instead of assigning access filters to each user, you assign them to groups, and all members of the group inherit the access filter.
Via the UI
- Navigate to Govern > RBAC > Groups
- Click on the group you want to modify
- In the Access Filters section, click Add Access Filter
- Select the access filter(s) to assign
- Click Save
Via the API
curl -X PUT https://your-workspace.signalsmith.dev/api/v1/groups/{group_id} \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"subset_ids": ["sub_abc123", "sub_def456"]
}'Multiple Groups
When a user belongs to multiple groups with different access filters, the access filters from all groups are merged:
- Access filters within the same category (across groups) are combined with
OR - Access filters across different categories are combined with
AND
Example:
- Group “EMEA Team” has access filter:
region = 'EMEA' - Group “APAC Team” has access filter:
region = 'APAC' - A user in both groups sees data where
region = 'EMEA' OR region = 'APAC'
Role Exemptions
Users with the Owner or Admin role are exempt from access filter filtering by default. They can see all data regardless of group membership. This exemption can be overridden in workspace settings if you need admins to also be subject to access filters.
How Access Filters Are Applied
When a query is executed on behalf of a user:
- SignalSmith resolves the user’s group memberships
- All access filters assigned to those groups are collected
- Access filters are grouped by category and combined (OR within category, AND across categories)
- The combined condition is appended as an
ANDclause to the query
Before access filter:
SELECT customer_id, email, region
FROM customers
WHERE lifetime_value > 100After access filter (region = 'EMEA'):
SELECT customer_id, email, region
FROM customers
WHERE lifetime_value > 100
AND (region = 'EMEA')After access filter (two categories):
SELECT customer_id, email, region, business_unit
FROM customers
WHERE lifetime_value > 100
AND (region = 'EMEA' OR region = 'APAC')
AND (business_unit = 'marketing')Managing Access Filters
Editing an Access Filter
Changes to an access filter’s condition take effect immediately. All subsequent queries from users in groups with that access filter will use the updated condition. Existing cached results are not retroactively filtered.
Disabling an Access Filter
You can disable an access filter without deleting it. A disabled access filter is not applied to any queries, even if it is still assigned to groups. This is useful for temporarily removing a restriction.
Deleting an Access Filter
Deleting an access filter removes it from all groups. Users who were restricted by the access filter will no longer have the filter applied. This action cannot be undone.
Audit Trail
Access filter application is logged in the governance audit trail:
- Access filter applied to query (with user ID, group ID, and access filter ID)
- Access filter condition used
- Query modified (original and filtered versions)
View the audit trail from Govern > Access Filters > Audit Log, or query via the API.
API Reference
# List all access filters
GET /api/v1/subsets
# Get a single access filter
GET /api/v1/subsets/{id}
# Create an access filter
POST /api/v1/subsets
# Update an access filter
PUT /api/v1/subsets/{id}
# Delete an access filter
DELETE /api/v1/subsets/{id}Common Patterns
| Pattern | Configuration |
|---|---|
| Regional data isolation | One access filter per region in a “Regional” category, assigned to regional team groups |
| Partner data rooms | One access filter per partner with partner_id filter in a “Partner” category |
| Data sovereignty | Access filters filtering by data_residency_country in a “Compliance” category |
| Tiered access | Access filters filtering by customer tier in a “Tier” category |
| Department isolation | Access filters filtering by department in a “Business Unit” category |
Next Steps
- Create groups to organize members for access filter assignment
- Set up RBAC roles to control who can create and manage access filters
- Configure destination filters for additional data flow controls