Story: Party-level RLS isolation
Table of Contents
This page documents a story in Sprint 12. It captures the goal, current status, acceptance criteria, and the tasks that compose it.
Goal
Add the second RLS layer: scope data to the party subtree within a
tenant. Compute the visible-party set at login from the party
hierarchy. Prove the pattern with party_counterparties.
Status
| Field | Value |
|---|---|
| State | DONE |
| Parent sprint | Sprint 12 |
| Now | Completed 2026-02-15. |
| Waiting on | None. |
| Next | None. |
| Last touched | 2026-02-15 |
Continued in: Account-party management and login (sprint 13) — lands the multi-party login picker + account-party management UI that this story scoped as a future task. The same RLS pattern is also extended to books / portfolios / trades (party_isolation_books_portfolios_trades) and to refdata visibility (party_level_refdata_restrictions) in the same sprint.
Acceptance
- SQL helpers: visible-party-set + current-party-id + visible-party-ids.
- C++ tenant_aware_pool + context carry party context.
- Session + handler propagation in place.
- Login resolves party from account_parties; computes visible set.
- party_counterparties junction with dual (tenant + party) RLS.
- Integration tests: system sees all; leaf sees subtree only.
Tasks
| Task | State | Start | End | Description |
|---|---|---|---|---|
| Implement party-level RLS isolation | DONE | 2026-05-19 | 2026-02-15 | Second RLS layer scoped to party-subtree within a tenant. SQL: ores_refdata_visible_party_ids_fn (recursive CTE); ores_iam_current_party_id_fn + ores_iam_visible_party_ids_fn helpers. C++: extend tenant_aware_pool + context with party context; session_data + tenant_aware_handler carry party_id + visible_party_ids; login resolves party via account_parties. SQL: ores_refdata_party_counterparties_tbl as first party-scoped junction with dual (tenant + party) RLS. |
Decisions
- Visible-party set computed at login
- avoids per-query recursive CTE; tradeoff is hierarchy changes need re-login.
- System party sees all
- necessary for admin paths; matches the system-tenant-cross-tenant pattern from sprint 11.
- party_counterparties as the first scoped junction
- proves the pattern end-to-end before applying broadly.
Out of scope
- Party picker UI for multi-party users (deferred).
- Live re-computation of visible set on hierarchy change.
See also
- Per-request tenant context (sprint 11) — the tenant RLS this story extends.
- Brainstorm multi-party support — supplies the design this story implements.