Security & Control

Metrics scoped to
who needs them.

Access enforcement happens at query time, not in dashboards. When an agent answers a question, every row and column is checked against the user's role. Only the data they're permitted to see is returned - built into the execution, not bolted on.

Book a DemoTry for Free
Core Capabilities

Governed access,
enforced at the query.

Row-level security and column masking that activate the instant a query runs - role-scoped, warehouse-native, with zero bypass paths for any downstream tool or dashboard.

Security that fires before a single row leaves the warehouse

Row-level security predicates are injected into every SQL statement at query execution - not enforced in a dashboard layer that users can route around. The warehouse sees only the WHERE clause the role is permitted to satisfy.

  • Predicates are injected server-side: no client, no BI tool, no export path can bypass them
  • Works across ad-hoc questions, scheduled reports, and API calls - the same rule fires every time
  • Zero-trust by default: a row is invisible until an explicit role grant makes it visible

The access control dilemma

  • Dashboard filters are easy to bypass - users export data and see restricted rows.

  • Traditional BI tools enforce access in the UI layer, not in the query. If a user can export, they can see everything.

  • Governed semantic layers require manual access policy definition - one rule per role, per metric, per table.

  • AI agents have no built-in access controls; they return answers without checking the user's permissions.

Access governance built into the agent

  • Access checks run at query time, not at render time. Every SQL execution is sandboxed to the user's role.

  • Agents inherit permissions directly from your warehouse (Snowflake, BigQuery, Databricks) - no separate access model to maintain.

  • Row and column restrictions apply equally to every query path - UI, agent, API, and export.

  • Unauthorized access attempts are logged with full audit trail: who asked, what they asked, when they asked, and what was blocked.

Governed Access

Three pillars of
governed access.

Fine-grained enforcement at every layer - rows, columns, and the SQL that produces the answer.

Row-Level Security

Filter entire rows based on user role. A sales analyst sees only their region's data; a CFO sees consolidated numbers across all regions. The agent enforces this - the user can't "see around" it by changing the question.

How row filtering works

Column-Level Masking

Restrict columns by role. Salary data hidden from ops teams; pricing hidden from customer-facing reps. The agent knows which columns the user can access and won't return forbidden fields - even if asked directly.

Masking policies

Query-Time Enforcement

Access policies run inside the SQL execution, not after. The database itself returns only authorized rows - Quaeris adds no separate layer, no post-processing cache. The source of truth is the warehouse.

Warehouse-native architecture
Access at every step

From question to governed answer,
without a bypass.

When a user submits a question, the agent runs a six-step pipeline. At each step, role-based access checks ensure data never escapes the user's permission boundary.

User AuthenticationVerify the user's identity and load their assigned roles.
Question ParsingInterpret the question into a semantic layer query.
Access Policy EvaluationQuery the role definitions and row/column filters for this user.
Governed SQL GenerationBuild the SQL with WHERE and SELECT clauses restricted to permitted data.
Warehouse ExecutionRun the SQL against your database - the warehouse is the enforcement point.
Answer Audit LogLog the question, the user, the SQL, and the result set to the governance record.
Region: East Coast · Dept: Sales
"What is revenue by product?"
ProductRegionRevenueUnit Price
Enterprise SuiteEast Coast$1.24Mmasked
Starter PlanEast Coast$385Kmasked
Pro Add-onEast Coast$210Kmasked
Access scoped in real-time - answer contains only East Coast rows; pricing columns masked per role
How we compare

Quaeris vs. traditional BI
+ ungoverned AI.

Architecture matters. See where enforcement actually lives in each approach.

CapabilityQuaeris (Governed Agent)Traditional BI ToolUngoverned AI Agent
Row-Level SecurityEnforced at query timeUI-layer; bypassable via exportNot enforced
Column-Level MaskingMasked before agent sees dataUI-layer; bypassable via exportNot enforced
Warehouse-NativeRuns inside warehouse; no data copyDepends on cloud BI vendorUsually cached or federated
Audit Trail for QueriesEvery question, user, SQL, result loggedPartial - dashboard views onlyOften no query-level audit
Role InheritanceUses warehouse roles directlyDepends on connectorSeparate access model
Access Policy as CodeDefined once, enforced everywherePer-tool policiesNo policy layer
Can Bypass via Export?No - export respects filtersYes - exports bypass filtersNo enforcement on export
Multi-Warehouse SupportSnowflake, BigQuery, Databricks, Redshift, SynapseUsually single warehouse vendorUsually single vendor

Traditional BI includes Power BI, Tableau, Looker. Ungoverned AI includes generic text-to-SQL tools and ChatGPT-connected BI.

Who benefits

Access governance
across every industry.

Same enforcement architecture, purpose-built for each vertical's access requirements.

Enforced data residency for regulated analytics

Traders see positions; risk managers see exposures by desk; compliance sees audit logs. Row-level access per trader ID, column masking on pricing and P&L. EU regulators require audit trails for every access - Quaeris logs every agent query.

Row filtering by trader/desk
Column masking on sensitive pricing
Automated compliance audit trail
Multi-currency dataset access per role

Patient data privacy with self-serve analytics

Analysts can query patient cohorts without seeing PII. Identifier masking (names, MRNs) is delegated to warehouse-native controls - Snowflake Dynamic Data Masking, BigQuery Column-Level Security. Researchers access de-identified datasets; clinical teams see full records. All queries are logged.

De-identification masking by role
Cohort analysis without PII exposure
Warehouse-delegated identifier masking
Multi-site access control

Competitive visibility without exposure

Regional managers see their region's data; external partners in the same warehouse see only anonymized benchmarks. Product pricing hidden from suppliers. SKU-level access control per partner, enforced at every query without a separate policy layer.

Partner-level row isolation
Column masking on proprietary pricing
Cross-customer analytics without data leakage
Automated access provisioning per role
Implementation

How access control works
under the hood.

Your roles define access, not ours.

Quaeris reads role definitions directly from your warehouse - Snowflake, BigQuery, Databricks. You don't need to replicate roles in a Quaeris admin panel. If a user is granted read access to a table in Snowflake, Quaeris sees that and enforces it. Role changes sync automatically - no manual reconciliation.

See integrations

Access control becomes WHERE clauses.

Behind the scenes, Quaeris translates a user's role permissions into SQL WHERE and SELECT restrictions. A sales analyst's query becomes scoped to their region and access level. The database executes the restricted query - the warehouse is the enforcement point. You can audit the SQL directly.

Audit trail deep-dive
FAQ

Common access control
questions.

SSO (via Okta, Azure AD, etc.) authenticates the user - it confirms they are who they claim to be. Quaeris uses that SSO identity to load their roles from your warehouse and enforces access based on those roles. SSO is the identity layer; warehouse roles are the permission layer. Both are required.
Ready to see it work?

Watch access controls in action.

We'll walk through your warehouse setup, show how role definitions translate to governed queries, and let you ask questions under different user roles. 30 minutes, no sales pitch.

Book a DemoTry for Free