> ## Documentation Index > Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt > Use this file to discover all available pages before exploring further. # RLS Policy Coverage Report > > Generated: 2026-01-11 > Total Tables: 433 > Overall Coverage: 94.2% > **Generated:** 2026-01-11\ > **Total Tables:** 433\ > **Overall Coverage:** 94.2% ## Executive Summary | Metric | Count | Percentage | | ------------------------------------------ | ----- | ---------- | | Tables with Full Coverage (4 policies) | 408 | 94.2% | | Tables with Partial Coverage (intentional) | 20 | 4.6% | | Tables with Special Access Patterns | 5 | 1.2% | | Tables Missing RLS | 0 | 0.0% | ## Coverage by Module | Module | Prefix | Total Tables | Full | Partial | Special | | --------------------- | ------ | ------------ | ---- | ------- | ------- | | Platform Foundation | `pf_` | 73 | 68 | 3 | 2 | | Human Resources | `hr_` | 75 | 70 | 4 | 1 | | Finance & Accounting | `fa_` | 45 | 43 | 2 | 0 | | Forms & Workflow | `fw_` | 54 | 48 | 4 | 2 | | Recovery Housing | `rh_` | 51 | 49 | 2 | 0 | | Facilities Management | `fm_` | 22 | 21 | 1 | 0 | | Governance & Risk | `gr_` | 49 | 47 | 2 | 0 | | Leadership OS | `lo_` | 29 | 28 | 1 | 0 | | IT Service Management | `it_` | 35 | 34 | 1 | 0 | ## Policy Type Coverage ### UPDATE Policies WITH CHECK Clause | Status | Count | Notes | | --------------------- | ----- | ----------------------------------- | | ✅ Has WITH CHECK | 398 | All UPDATE policies have WITH CHECK | | ⚠️ Missing WITH CHECK | 0 | None remaining after audit | ### Recursion-Safe Policies | Status | Count | Notes | | ------------------------------- | ----- | --------------------------------- | | ✅ Uses SECURITY DEFINER helpers | 433 | All policies use helper functions | | ❌ Direct pf\_user\_roles query | 0 | None remaining after audit | *** ## Detailed Coverage Tables ### Platform Foundation (PF) | Table | SELECT | INSERT | UPDATE | DELETE | WITH CHECK | Notes | | ---------------------------- | ------ | ------ | ------ | ------ | ---------- | ------------------------- | | pf\_organizations | ✅ | ✅ | ✅ | ✅ | ✅ | | | pf\_profiles | ✅ | ✅ | ✅ | ✅ | ✅ | | | pf\_sites | ✅ | ✅ | ✅ | ✅ | ✅ | | | pf\_user\_roles | ✅ | ✅ | ✅ | ✅ | ✅ | | | pf\_departments | ✅ | ✅ | ✅ | ✅ | ✅ | | | pf\_notifications | ✅ | ✅ | ✅ | ✅ | ✅ | | | pf\_documents | ✅ | ✅ | ✅ | ✅ | ✅ | | | pf\_document\_versions | ✅ | ✅ | - | - | - | Version table (immutable) | | pf\_audit\_logs | ✅ | ✅ | - | - | - | Audit table (append-only) | | pf\_health\_metrics | ✅ | ✅ | ✅ | ✅ | ✅ | Platform admin only | | pf\_integration\_credentials | ❌ | ❌ | ❌ | ❌ | ❌ | Deny-all (service-only) | | pf\_marketplace\_ratings | ✅ | ✅ | ✅ | ✅ | ✅ | Public read intentional | ### Human Resources (HR) | Table | SELECT | INSERT | UPDATE | DELETE | WITH CHECK | Notes | | -------------------------- | ------ | ------ | ------ | ------ | ---------- | ----------- | | hr\_employees | ✅ | ✅ | ✅ | ✅ | ✅ | | | hr\_positions | ✅ | ✅ | ✅ | ✅ | ✅ | | | hr\_departments\_v | ✅ | ✅ | ✅ | ✅ | ✅ | | | hr\_leave\_requests | ✅ | ✅ | ✅ | ✅ | ✅ | | | hr\_leave\_balances | ✅ | ✅ | ✅ | ✅ | ✅ | | | hr\_timesheets | ✅ | ✅ | ✅ | ✅ | ✅ | | | hr\_timesheet\_entries | ✅ | ✅ | ✅ | ✅ | ✅ | | | hr\_payroll\_runs | ✅ | ✅ | ✅ | ✅ | ✅ | | | hr\_payroll\_records | ✅ | ✅ | ✅ | ✅ | ✅ | | | hr\_payroll\_audit\_log | ✅ | ✅ | - | - | - | Audit table | | hr\_ssn\_access\_log | ✅ | ✅ | - | - | - | Audit table | | hr\_document\_access\_logs | ✅ | ✅ | - | - | - | Audit table | ### Finance & Accounting (FA) | Table | SELECT | INSERT | UPDATE | DELETE | WITH CHECK | Notes | | ------------------------- | ------ | ------ | ------ | ------ | ---------- | ----- | | fa\_accounts | ✅ | ✅ | ✅ | ✅ | ✅ | | | fa\_funds | ✅ | ✅ | ✅ | ✅ | ✅ | | | fa\_journal\_entries | ✅ | ✅ | ✅ | ✅ | ✅ | | | fa\_journal\_entry\_lines | ✅ | ✅ | ✅ | ✅ | ✅ | | | fa\_invoices | ✅ | ✅ | ✅ | ✅ | ✅ | | | fa\_customers | ✅ | ✅ | ✅ | ✅ | ✅ | | | fa\_bills | ✅ | ✅ | ✅ | ✅ | ✅ | | | fa\_vendors | ✅ | ✅ | ✅ | ✅ | ✅ | | | fa\_budgets | ✅ | ✅ | ✅ | ✅ | ✅ | | | fa\_bank\_accounts | ✅ | ✅ | ✅ | ✅ | ✅ | | ### Forms & Workflow (FW) | Table | SELECT | INSERT | UPDATE | DELETE | WITH CHECK | Notes | | ------------------------- | ------ | ------ | ------ | ------ | ---------- | --------------------------- | | fw\_forms | ✅ | ✅ | ✅ | ✅ | ✅ | | | fw\_form\_versions | ✅ | ✅ | - | - | - | Version table | | fw\_form\_submissions | ✅ | ✅ | ✅ | ✅ | ✅ | | | fw\_workflows | ✅ | ✅ | ✅ | ✅ | ✅ | | | fw\_workflow\_versions | ✅ | ✅ | - | - | - | Version table | | fw\_approval\_history | ✅ | ✅ | - | - | - | Audit table | | fw\_signature\_audit\_log | ✅ | ✅ | - | - | - | Audit table | | fw\_portal\_rate\_limits | ✅ | - | - | - | - | Public read (rate limiting) | | fw\_automation\_logs | ✅ | ✅ | - | - | - | Audit table | *** ## Tables with Special Access Patterns These tables intentionally have non-standard RLS configurations: | Table | Pattern | Reason | | ---------------------------- | ------------------- | -------------------------------------------------------- | | pf\_integration\_credentials | Deny-all | Service-only access via SECURITY DEFINER functions | | pf\_marketplace\_ratings | Public SELECT | Ratings are publicly visible for transparency | | fw\_portal\_rate\_limits | Public SELECT | Rate limits must be readable for client-side enforcement | | pf\_health\_metrics | Platform admin only | System metrics restricted to platform admins | | pf\_platforms | System table | Platform-level configuration | *** ## Audit/Version Tables (Intentional Partial Coverage) These tables are intentionally limited to SELECT + INSERT (append-only): ### Audit Tables * `pf_audit_logs` * `pf_index_cleanup_audit` * `hr_document_access_logs` * `hr_payroll_audit_log` * `hr_ssn_access_log` * `fw_approval_history` * `fw_domain_events` * `fw_signature_audit_log` * `fw_automation_logs` * `fm_asset_maintenance_history` * `fm_work_order_history` * `fm_inventory_transactions` ### Version Tables (Immutable) * `pf_document_versions` * `fw_form_versions` * `fw_workflow_versions` * `gr_policy_versions` * `lo_knowledge_article_versions` * `it_kb_article_versions` *** ## Validation Queries ### Check Tables Without RLS ```sql theme={null} SELECT tablename FROM pg_tables WHERE schemaname = 'public' AND tablename NOT LIKE 'pg_%' AND tablename NOT IN ( SELECT tablename FROM pg_policies WHERE schemaname = 'public' ); ``` ### Check UPDATE Policies Without WITH CHECK ```sql theme={null} SELECT tablename, policyname FROM pg_policies WHERE schemaname = 'public' AND cmd = 'UPDATE' AND with_check IS NULL; ``` ### Check Policy Coverage Count ```sql theme={null} SELECT tablename, COUNT(*) as policy_count FROM pg_policies WHERE schemaname = 'public' GROUP BY tablename ORDER BY policy_count, tablename; ``` *** ## Related Documentation * ERD Diagrams * [RLS Patterns Reference](./RLS_PATTERNS.md) * [RLS Policy Audit](./RLS_POLICY_AUDIT.md) * [CI/CD RLS Validation Guide](../development/RLS_CI_CD_GUIDE.md)