Access Policies

Access policies let you control which rows of data each user can see within data that’s already been shared with them. Sharing controls WHO can access something — access policies control WHAT data they see within it.

A store manager sees their store’s data. A regional VP sees their region. The CEO sees everything. No separate copies, no separate dashboards — one dataset, filtered automatically for each person.

How policies work

An access policy is a simple rule: pick a column, pick the allowed values, assign users. That’s it. No SQL, no code, no data engineering required.

For example, a policy called “Southeast Region Only” might say: on the region column, only show rows where the value is SE. Assign that policy to your Southeast team, and they’ll only see Southeast data — everywhere in Querri.

No policies means full access

Users with no policies assigned can see all data. Policies restrict access — they don’t grant it. This means existing users aren’t locked out when you start setting up security.

Creating a policy

1. Go to Settings > Security > Access Policies
2. Click Create Policy
3. Fill in the fields:

Field	What to enter
Name	A clear label, like “Southeast Region Only” or “Store 101”
Description	Optional notes about why this policy exists
Column	The data column to filter on (e.g., region, store_id, department)
Values	The allowed values for that column (e.g., SE, NE)
Applies To	Auto or Explicit (see below)

Auto-apply vs. explicit binding

• Auto (default): The policy applies to every data source that has the specified column. Create a policy on region, and it automatically filters every source with a region column. This is the simplest option — set it and forget it.
• Explicit: The policy only applies to sources you specifically select. Use this when you have columns with the same name in different sources that mean different things.

Column matching is case-insensitive — a policy on Country matches columns named country, COUNTRY, or Country.

Assigning users

After creating a policy, add users from the policy detail view:

1. Open the policy from the list
2. Click Add Users
3. Search by name or email
4. Select users to assign

How policies combine

Users can have multiple policies. Here’s how they work together:

• Same column, different policies = OR. A user with policies for region = SE and region = NE sees rows where region is SE or NE.
• Different columns = AND. A user with region = SE and department = Sales sees only rows matching both conditions.

This composable approach covers most real-world scenarios: filter by region, department, client, store, or any combination.

Expressiveness tradeoff

The “pick a column, pick values” approach covers roughly 80-90% of real-world security needs. It doesn’t handle complex rules like org-chart hierarchies or conditional logic (“see data only if older than 30 days”). For organizations with those requirements, Querri may need to be paired with infrastructure-level security tools.

Previewing access

Use the Resolve Preview tool to verify policies before rolling them out:

1. Go to Settings > Security > Access Policies
2. Select a user and a data source
3. The preview shows exactly which rows they can access and the resulting filter

This is your safety net — verify that policies work as expected before assigning them to your team.

Key behaviors

• Policy on a source without that column: The policy is skipped for that source. The user sees all rows.
• All policies apply but no rows match: The user sees zero rows from that source.
• Dashboard access: When someone views a shared dashboard, their policies are applied automatically. Each viewer sees their version of the data.
• Audit logging: All policy changes — creates, updates, deletes, and user assignments — are recorded in the audit log.

Next steps

• Column Security — Control which columns users can see
• Groups — Assign policies to teams instead of individuals
• Dashboard Security — How shared dashboards enforce per-viewer access