Supabase RLS Pattern for Owner-Owned Records Shared with Teammates

If your app feels solid in testing but “random” with real users, it’s usually not the model. It’s permissions living in prompts instead of being enforced by the database. Below is a copyable Supabase RLS setup for an owner-owned object shared with teammates.

Supabase RLS example: Projects owned by a user, shared with teammates

Assumptions

• projects.owner\_id is the creator

• optional join table project\_members allows sharing

• users can read a project if they own it or they’re a member

• only owners can update/delete

• members can’t update the project row (extend later if you need role-based edits)

1. Tables

\-- Projects

create table if not exists public.projects (

id uuid primary key default gen\_random\_uuid(),

owner\_id uuid not null references auth.users(id),

title text not null,

status text not null default 'active',

created\_at timestamptz not null default now(),

updated\_at timestamptz not null default now()

);

\-- Optional: membership for sharing projects

create table if not exists public.project\_members (

project\_id uuid not null references public.projects(id) on delete cascade,

user\_id uuid not null references auth.users(id) on delete cascade,

role text not null default 'member',

created\_at timestamptz not null default now(),

primary key (project\_id, user\_id)

);

\-- Helpful indexes

create index if not exists projects\_owner\_id\_idx on public.projects(owner\_id);

create index if not exists project\_members\_user\_id\_idx on public.project\_members(user\_id);

2. Enable RLS

alter table public.projects enable row level security;

alter table public.project\_members enable row level security;

3. Policies