fatih-developer/access-policy-designer
skills/access-policy-designer/SKILL.md
Designs and implements row-level security (RLS), column-level masking, and role-based access control policies (RBAC/ABAC).
$ install --global
skillsauthnpx skillsauth add fatih-developer/fth-skills access-policy-designerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 13, 2026, 4:44 AM12.8s2 files scanned
SKILL.md
- name:
- access-policy-designer
- description:
- Designs and implements row-level security (RLS), column-level masking, and role-based access control policies (RBAC/ABAC).
Access Policy Designer Protocol
This skill enforces Zero Trust at the database layer. Instead of relying purely on the application backend to filter WHERE tenant_id = ?, it pushes security down to the database engine to prevent data leaks.
Core assumption: Application code has bugs. Database security policies (RLS/Views) are the final, unbreakable safety net against SQL Injection or logic flaws.
1. Requirement Translation
Convert business rules into technical access models.
Business Rule: "Doctors can only see their own patients' records."
Translation: We need Row-Level Security (RLS) on the patients table where primary_doctor_id = current_user_id().
2. Policy Paradigms
Row-Level Security (RLS) - PostgreSQL / Supabase
- Define policies for
SELECT,INSERT,UPDATE, andDELETE. - Distinguish between Who you are (Current Role/User) and What you belong to (Tenant/Organization ID).
Column-Level Security (CLS)
- Restricting
SELECTon specific columns. - E.g., The
Customer Supportrole can see theuserstable but cannotSELECT ssnorsalary.
3. Output Generation
Generate platform-specific DDL for security policies.
Required Outputs (Must write BOTH to docs/database-report/):
- Human-Readable Markdown (
docs/database-report/access-policy-report.md)
### 🔒 Security Design: Patient Records
**Business Rule:** Doctors only access their assigned patients.
**SQL Implementation (PostgreSQL RLS):**
```sql
-- 1. Enable RLS on the table
ALTER TABLE patients ENABLE ROW LEVEL SECURITY;
-- 2. Create the SELECT policy
CREATE POLICY doctor_select_own_patients
ON patients FOR SELECT
TO qualified_doctors
USING (primary_doctor_id = current_setting('app.current_user_id')::uuid);
-- 3. Create the UPDATE policy (Must belong to them and remain assigned to them)
CREATE POLICY doctor_update_own_patients
ON patients FOR UPDATE
TO qualified_doctors
USING (primary_doctor_id = current_setting('app.current_user_id')::uuid)
WITH CHECK (primary_doctor_id = current_setting('app.current_user_id')::uuid);
⚠️ Security Checklist (Audit)
- [x] Does the policy account for "Superadmins" who need to see everything?
- [x] Is the
app.current_user_idsetting securely injected by the backend connection?
2. **Machine-Readable JSON (`docs/database-report/access-policy-output.json`)**
```json
{
"skill": "access-policy-designer",
"target_table": "patients",
"dialect": "PostgreSQL",
"policies": [
{"name": "doctor_select_own_patients", "action": "SELECT", "role": "qualified_doctors"},
{"name": "doctor_update_own_patients", "action": "UPDATE", "role": "qualified_doctors"}
],
"rls_enabled": true
}
Guardrails
- Infinite Recursion: If a policy on
usersqueries theuserstable to check a role, it will infinite-loop. Restrict policy lookups or use a separateuser_rolesmapping table. - Performance Tax: Complex RLS policies (e.g.,
USING (EXISTS (SELECT 1 FROM ...))) execute on every row read. Warn the user if a policy will cause a sequential scan. - Bypass Clauses: Ensure the policy explicitly handles
BypassRLSroles (like system migrations or background workers).
Related Skills
fatih-developer/prompt-crafter
tools
VerifiedTrustedCommunity
Create, optimize, critique, and structure prompts for AI systems. Use this skill whenever the user is designing or improving a prompt, system prompt, coding prompt, image prompt, evaluation rubric, agent prompt, workflow prompt, or MCP-oriented prompt package. Also use it when the user asks to turn vague AI behavior into a precise instruction set, tool policy, agent spec, or prompt architecture.
5SKILL.mdUpdated Jun 4, 2026
fatih-developer/plan-hardener
testing
VerifiedTrustedCommunity
Assumption-first architecture review skill to stress-test project plans and expose hidden risks.
5SKILL.mdUpdated Jun 4, 2026
fatih-developer/design-md-enforcer
testing
VerifiedTrustedCommunity
Enforce and manage DESIGN.md specifications, extract design systems from URLs, and combine design reasoning with token roles to prevent drift.
5SKILL.mdUpdated Jun 4, 2026
fatih-developer/claude-style-coding
testing
VerifiedTrustedCommunity
Forces the agent to act with a Claude-like product mindset, prioritizing user journey, UX states, and visual quality before coding.
5SKILL.mdUpdated Jun 4, 2026