Skip to main content
Combine foreign filters with tenant tokens to implement fine-grained, role-based access control (RBAC). Users see only documents they’re authorized to access based on their roles and team memberships.

How it works

Core concept: Create a separate access control table that defines which users and teams can access which documents. Use foreign filters to enforce these permissions at query time. Tenant tokens carry user identity:
Foreign filters enforce the rules:
Only documents where the access table grants permission are returned.

Data structure

Access control table

Create a separate “access” index to define permissions:

Main documents

Documents reference the access control table:

Setting up relationships

  1. Create access control index with documents defining who can access what
  2. Add foreign key to your main index pointing to access table:
  1. Configure filterable attributes on access table:

Using tenant tokens with RBAC

The tenant token contains the authenticated user’s identity:
When the user searches, the application includes this token and constructs the filter: Result: Only documents where the access table has an entry for Jeremy (direct user match) or for the “product” or “engineering” teams are returned.

Multi-level RBAC example

Combine user, team, and role filtering: This returns documents where:
  • Jeremy has editor or owner role, OR
  • Product/engineering teams have at least editor role

Handling wildcard access

For public documents, set teams = ["*"] in the access table:
Filter to include public documents:

Performance considerations

  1. Access table size: Each document’s access rules create entries. For 1000 documents with 10 team access rules each, you need ~10,000 access records.
  2. Filter specificity: The foreign filter must match ≤ 100 access records. Design your access control structure to stay within this limit:
    • Use team-based rules instead of per-user rules where possible
    • Group documents by access level (public, internal, secret)
    • Consider combining user + team checks: (user = "..." OR (teams IN [...] AND roles IN [...]))
  3. Denormalization trade-off: If RBAC queries regularly hit the 100-document limit, consider denormalizing permission fields directly into documents instead of using joins.

Security best practices

  • Token validation: Always validate tenant tokens server-side before searching
  • Immutable filters: Construct the filter on the server, never client-side
  • Scope limitation: Limit token expiration and use short-lived tokens when possible
  • Audit logging: Log access attempts for compliance and debugging
  • Regular review: Periodically audit access control table entries to remove stale permissions

Example: Implementing on the server

Next steps

Tenant tokens

Learn how to generate and manage tenant tokens

Foreign filters

Understand foreign filter syntax and capabilities

Define relationships

Set up join relationships for RBAC