RESTRICT ROWS

Configures the column used for row-level access control (RLAC); you can only define one primary key column. If the column is already configured, running the RESTRICT ROWS command replaces the definition.

Use DESCRIBE TABLE to view the existing restrictions on the table.

Syntax

RESTRICT ROWS ON [<keyspace_name>.]<table_name>
  USING <pk_column_name> ;
Legend
Syntax conventions Description

UPPERCASE

Literal keyword.

Lowercase

Not literal.

< >

Variable value. Replace with a user-defined value.

[]

Optional. Square brackets ([]) surround optional command arguments. Do not type the square brackets.

( )

Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.

|

Or. A vertical bar (|) separates alternative elements. Type any one of the elements. Do not type the vertical bar.

...

Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.

'<Literal string>'

Single quotation (') marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.

{ <key> : <value> }

Map collection. Braces ({ }) enclose map collections or key value pairs. A colon separates the key and the value.

<datatype2

Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.

<cql_statement>;

End CQL statement. A semicolon (;) terminates all CQL statements.

[--]

Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.

' <<schema\> ... </schema\>> '

Search CQL only: Single quotation marks (') surround an entire XML schema declaration.

@<xml_entity>='<xml_entity_type>'

Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.

Examples

RLAC requires two commands to implement the restrictions:

  • One RESTRICT command on the rows to filter

  • One or more GRANT commands to assign permissions

The following example uses a cyclist_name column to permit each cyclist to view only their own expenses.

  1. For the cyclist_expenses table, configure the cyclist_name column for filtering so that permissions can be assigned:

    RESTRICT ROWS ON cycling.cyclist_expenses USING cyclist_name;

  2. Grant a cyclist, Vera Adrian, permission to view her own expenses:

    GRANT SELECT ON 'Vera ADRIAN' ROWS IN cycling.cyclist_expenses TO cycling_accounts;

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM