Policy
Govern exactly what each identity reads and writes.
Open your data up to people and agents without overexposing a single row. A grant binds an identity to what it can read and write, down to the row, the column, and the value, and Nightshift enforces it on every request, so the same table looks different to each caller.
| Person | Role | orders | customers | events | arr_by_region |
|---|---|---|---|---|---|
| Ada Okaforada@acme.com | Owner | rw | rw | rw | rw |
| Lena Parklena@acme.com | Admin | rw | rw | rw | rw |
| Marc Diazmarc@acme.com | Member | r | masked | — | r |
Row, column, value
Allow, deny, and mask, exactly where you need to.
Hide the salary column, drop the rows that start with A, mask everything but the last four digits. A grant is arbitrarily specific: one person can be blocked from rows 54, 23, and 15 of a single SAP table while everyone else reads them, and the same query comes back a different shape for each.
- Filter rows by any predicate over the data
- Hide or mask columns and individual values
- The same query returns a different shape per identity
Usage · 24h
Writes, not just reads
A grant shapes the write, not just the read.
A bad write corrupts where a bad read only leaks, so writes run through the same policy. A grant scopes what an identity can change, down to the table, the row, and the column. Writes land in versioned Nightshift tables, your connected sources stay read-only, and there is no path for a person or an agent to write around the policy.
- Grants scope writes by identity, down to the row and column
- Writes land in versioned Nightshift tables; connected sources stay read-only
- No unfiltered path to write the data, the same guarantee as reads
| invoiceNetSuite | balanceNetSuite | accountSalesforce | priorityNightshift | actionNightshift |
|---|---|---|---|---|
| INV-2231 | $48,200 | Acme | High | call |
| INV-2218 | $12,400 | Globex | Med | |
| INV-2205 | $91,750 | Initech | High | escalate |
| INV-2199 | $7,300 | Umbrella | Low | |
| INV-2184 | $26,500 | Soylent | High | call |
Monitor, then enforce
Watch a rule before you turn it on.
Start a grant in monitor and Nightshift replays it against real traffic, so you see exactly what it would allow, mask, or block before anyone is affected. Promote it to enforce when you are sure, and roll it back just as fast if you are not.
- Monitor, Alert, and Enforce as a single control
- See the impact against live traffic before you commit
- Promote or roll back without a deploy
- Principal
- Support · group · 2 identities
- Resource
- *
- Condition
- any request
- Effect
- Mask email, phone, account
Enforcement
Why it holds
Why opening your data up stays safe.
Scoped to identity
A grant attaches to people, tokens, and agents, and scopes what each can read and write. The same catalog behaves differently depending on who is asking.
The only door
Policy is not a filter applied after the fact, it is the only door. Every request, read or write, is checked and shaped, so there is no unfiltered path to the data for a person or an agent to find, and no raw-SQL way around it.
Auditable by default
Every read, every write, and every grant change lands in one record, with before and after on each edit.
The rest of the product
Nightshift Console
Connect sources, query in notebooks or over MCP, and govern every read and write from one place.
Learn more
Nightshift Fiber
The typed React API for building governed data apps on your catalog.
Learn more
Compose
Compose any source into one governed catalog.
Learn more
Query
Query and write to your governed catalog from a notebook, over MCP, or in an app.
Learn more
Open your data up. Keep control.
Start free, write your first grant, and see exactly what each identity gets back. Mask a column, deny a table, and watch the impact before you enforce.
Want to look first? Take the product tour
