**Is anyone else having issues with RLS
Is anyone else having issues with RLS and left joins?
We have optional relationships in our DB (i.e.
table_1 has a table_2_id which could be null), where it's relevant to us whether or not the relationships exist. We use Left Joins for this but having RLS defined on table_2 thoughtspot forces an inner join.
More Details
As an example: we have invoices and customers. An invoice may or may not have a customer, so the invoice's customer_id may be null. We define the join between invoice and customer to be left outer join, so that we can get all invoices regardless of whether or not they have a customer.
When the customer table has no RLS, the query generates correctly, i.e.
but when we add an RLS rule to customer, the engine seems to force an inner join
This is not good for us. We need to be able to include the null case for the customers as well.6 Replies
One way to define RLS could be via runtime filters in the embed, if all your users access it via embed. Does that work ?
we can have hidden runtime filters in the liveboard?
For example, how could we create a report that shows the proportion of invoices that do or do not have customers?
Which auth type are you using?
We use TrustedAuthTokenCookieless with a NextJS backend
So you can do hidden runtime parameters via tokens https://developers.thoughtspot.com/docs/abac-user-parameters#_token_request
ABAC via token
Attribute-based access control pattern can be achieved via user parameters sent in the login token
@tkimia this behavior of altering the join type is a precautionary measure taken by TS, you can create an SRE ticket to turn off this behavior, make sure to cross check once the flag is applied.