supasheet
features
Typed RBAC

Roles & permissions

Permissions are first-class database enums. Every UI action checks them client-side; every query is enforced server-side by RLS. Two layers, one source of truth.

Get startedSee all features
permissions matrix
rls-enforced
resource
action
user
manager
admin
x-admin
crm.deals
select
crm.deals
insert
crm.deals
update
crm.deals
delete
crm.deals
comment
finance.invoices
select
finance.invoices
update
supasheet.users
invite
What it does

The capabilities you get out of the box.

Capability01

Typed enum

Permissions are `<schema>.<table>:<action>` enum values - no string typos.

Capability02

Role-based

Assign permissions to roles, roles to users. Standard RBAC at the DB layer.

Capability03

RLS-enforced

UI permission checks are a convenience; RLS is the real gate.

How it works

Three steps from SQL to UI.

  1. 01
    Add a permissionA migration adds new permission enum values for your tables.
  2. 02
    Assign to rolesUse the Supasheet admin UI or SQL to wire permissions to roles.
  3. 03
    Use anywhere`useHasPermission()` in the UI; `auth.has_permission()` in RLS.
example/rbac.sql
sql
-- 1. Declare the typed permissions for the table.
alter type supasheet.app_permission add value 'crm.deals:select';
alter type supasheet.app_permission add value 'crm.deals:insert';
alter type supasheet.app_permission add value 'crm.deals:update';
alter type supasheet.app_permission add value 'crm.deals:delete';
alter type supasheet.app_permission add value 'crm.deals:audit';
alter type supasheet.app_permission add value 'crm.deals:comment';

-- 2. Grant them to a role.
insert into supasheet.role_permissions (role, permission) values
  ('manager', 'crm.deals:select'),
  ('manager', 'crm.deals:insert'),
  ('manager', 'crm.deals:update'),
  ('manager', 'crm.deals:comment');

-- 3. Enforce them in RLS - same enum, no string typos.
create policy "managers can read deals"
  on crm.deals for select to authenticated
  using (supasheet.has_permission('crm.deals:select'));
Related

Pairs well with

Authentication & MFA

Magic link, OAuth, and TOTP MFA wired into every Supasheet app.

Audit logs

Automatic, immutable change history for every row in every audited table.

Multi-schema architecture

Each Postgres schema becomes a separate, permission-scoped app module.

Get started

Try it on your own Supabase project.

Connect a project, install the Supasheet schema, and your tables are live in minutes.

Get startedStar on GitHub
No credit cardSelf-host or managedMIT licensed