PostgreSQL MCP Server

Overview Schema Related Servers Score Discussions

pg_manage_rls

Enable, disable, or manage PostgreSQL Row-Level Security policies to control data access at the row level for specific tables.

Instructions

Manage PostgreSQL Row-Level Security - enable/disable RLS and manage policies. Examples: operation="enable" with tableName="users", operation="create_policy" with tableName, policyName, using, check

Input Schema

TableJSON Schema

Name	Required	Description
`connectionString`	No	PostgreSQL connection string (optional)
`operation`	Yes	Operation: enable/disable RLS, create_policy, edit_policy, drop_policy, get_policies
`tableName`	No	Table name (required for enable/disable/create_policy/edit_policy/drop_policy, optional filter for get_policies)
`schema`	No	Schema name (defaults to public)
`policyName`	No	Policy name (required for create_policy/edit_policy/drop_policy)
`using`	No	USING expression for policy (required for create_policy, optional for edit_policy)
`check`	No	WITH CHECK expression for policy (optional for create_policy/edit_policy)
`command`	No	Command the policy applies to (for create_policy)
`role`	No	Role the policy applies to (for create_policy)
`replace`	No	Whether to replace policy if exists (for create_policy)
`roles`	No	List of roles for policy (for edit_policy)
`ifExists`	No	Include IF EXISTS clause (for drop_policy)

Implementation Reference

src/tools/functions.ts:911-1066 (handler)

Primary handler implementation for the 'pg_manage_rls' tool. This PostgresTool object defines the tool's name, description, input schema, and execute function which dispatches RLS operations (enable/disable RLS on tables, create/edit/drop/get policies) by calling internal helper functions.

export const manageRLSTool: PostgresTool = {
  name: 'pg_manage_rls',
  description: 'Manage PostgreSQL Row-Level Security - enable/disable RLS and manage policies. Examples: operation="enable" with tableName="users", operation="create_policy" with tableName, policyName, using, check',
  inputSchema: z.object({
    connectionString: z.string().optional().describe('PostgreSQL connection string (optional)'),
    operation: z.enum(['enable', 'disable', 'create_policy', 'edit_policy', 'drop_policy', 'get_policies']).describe('Operation: enable/disable RLS, create_policy, edit_policy, drop_policy, get_policies'),
    
    // Common parameters
    tableName: z.string().optional().describe('Table name (required for enable/disable/create_policy/edit_policy/drop_policy, optional filter for get_policies)'),
    schema: z.string().optional().describe('Schema name (defaults to public)'),
    
    // Policy-specific parameters
    policyName: z.string().optional().describe('Policy name (required for create_policy/edit_policy/drop_policy)'),
    using: z.string().optional().describe('USING expression for policy (required for create_policy, optional for edit_policy)'),
    check: z.string().optional().describe('WITH CHECK expression for policy (optional for create_policy/edit_policy)'),
    command: z.enum(['ALL', 'SELECT', 'INSERT', 'UPDATE', 'DELETE']).optional().describe('Command the policy applies to (for create_policy)'),
    role: z.string().optional().describe('Role the policy applies to (for create_policy)'),
    replace: z.boolean().optional().describe('Whether to replace policy if exists (for create_policy)'),
    
    // Edit policy parameters
    roles: z.array(z.string()).optional().describe('List of roles for policy (for edit_policy)'),
    
    // Drop policy parameters
    ifExists: z.boolean().optional().describe('Include IF EXISTS clause (for drop_policy)')
  }),
  // biome-ignore lint/suspicious/noExplicitAny: <explanation>
  execute: async (args: any, getConnectionStringVal: GetConnectionStringFn): Promise<ToolOutput> => {
    const { 
      connectionString: connStringArg,
      operation,
      tableName,
      schema,
      policyName,
      using,
      check,
      command,
      role,
      replace,
      roles,
      ifExists
    } = args as {
      connectionString?: string;
      operation: 'enable' | 'disable' | 'create_policy' | 'edit_policy' | 'drop_policy' | 'get_policies';
      tableName?: string;
      schema?: string;
      policyName?: string;
      using?: string;
      check?: string;
      command?: 'ALL' | 'SELECT' | 'INSERT' | 'UPDATE' | 'DELETE';
      role?: string;
      replace?: boolean;
      roles?: string[];
      ifExists?: boolean;
    };

    const resolvedConnString = getConnectionStringVal(connStringArg);
    let result: FunctionResult;

    try {
      switch (operation) {
        case 'enable': {
          if (!tableName) {
            return { 
              content: [{ type: 'text', text: 'Error: tableName is required for enable operation' }], 
              isError: true 
            };
          }
          result = await _enableRLS(resolvedConnString, tableName, schema);
          break;
        }

        case 'disable': {
          if (!tableName) {
            return { 
              content: [{ type: 'text', text: 'Error: tableName is required for disable operation' }], 
              isError: true 
            };
          }
          result = await _disableRLS(resolvedConnString, tableName, schema);
          break;
        }

        case 'create_policy': {
          if (!tableName || !policyName || !using) {
            return { 
              content: [{ type: 'text', text: 'Error: tableName, policyName, and using are required for create_policy operation' }], 
              isError: true 
            };
          }
          result = await _createRLSPolicy(resolvedConnString, tableName, policyName, using, check, {
            schema,
            command,
            role,
            replace
          });
          break;
        }

        case 'edit_policy': {
          if (!tableName || !policyName) {
            return { 
              content: [{ type: 'text', text: 'Error: tableName and policyName are required for edit_policy operation' }], 
              isError: true 
            };
          }
          result = await _editRLSPolicy(resolvedConnString, tableName, policyName, {
            schema,
            roles,
            using,
            check
          });
          break;
        }

        case 'drop_policy': {
          if (!tableName || !policyName) {
            return { 
              content: [{ type: 'text', text: 'Error: tableName and policyName are required for drop_policy operation' }], 
              isError: true 
            };
          }
          result = await _dropRLSPolicy(resolvedConnString, tableName, policyName, {
            schema,
            ifExists
          });
          break;
        }

        case 'get_policies': {
          result = await _getRLSPolicies(resolvedConnString, tableName, schema);
          if (result.success) {
            return { content: [{ type: 'text', text: JSON.stringify(result.details, null, 2) || result.message }] };
          }
          break;
        }

        default:
          return { 
            content: [{ type: 'text', text: `Error: Unknown operation "${operation}". Supported operations: enable, disable, create_policy, edit_policy, drop_policy, get_policies` }], 
            isError: true 
          };
      }

      if (result.success) {
        return { content: [{ type: 'text', text: result.message + (result.details ? ` Details: ${JSON.stringify(result.details)}` : '') }] };
      }
      return { content: [{ type: 'text', text: result.message }], isError: true };

    } catch (error) {
      return { 
        content: [{ type: 'text', text: `Error executing ${operation} operation: ${error instanceof Error ? error.message : String(error)}` }], 
        isError: true 
      };
    }
  }
};

src/tools/functions.ts:914-935 (schema)

Zod input schema validation for the pg_manage_rls tool parameters.

inputSchema: z.object({
  connectionString: z.string().optional().describe('PostgreSQL connection string (optional)'),
  operation: z.enum(['enable', 'disable', 'create_policy', 'edit_policy', 'drop_policy', 'get_policies']).describe('Operation: enable/disable RLS, create_policy, edit_policy, drop_policy, get_policies'),
  
  // Common parameters
  tableName: z.string().optional().describe('Table name (required for enable/disable/create_policy/edit_policy/drop_policy, optional filter for get_policies)'),
  schema: z.string().optional().describe('Schema name (defaults to public)'),
  
  // Policy-specific parameters
  policyName: z.string().optional().describe('Policy name (required for create_policy/edit_policy/drop_policy)'),
  using: z.string().optional().describe('USING expression for policy (required for create_policy, optional for edit_policy)'),
  check: z.string().optional().describe('WITH CHECK expression for policy (optional for create_policy/edit_policy)'),
  command: z.enum(['ALL', 'SELECT', 'INSERT', 'UPDATE', 'DELETE']).optional().describe('Command the policy applies to (for create_policy)'),
  role: z.string().optional().describe('Role the policy applies to (for create_policy)'),
  replace: z.boolean().optional().describe('Whether to replace policy if exists (for create_policy)'),
  
  // Edit policy parameters
  roles: z.array(z.string()).optional().describe('List of roles for policy (for edit_policy)'),
  
  // Drop policy parameters
  ifExists: z.boolean().optional().describe('Include IF EXISTS clause (for drop_policy)')
}),

src/index.ts:225-257 (registration)

Registration of pg_manage_rls (imported as manageRLSTool) in the central allTools array passed to PostgreSQLServer constructor for MCP tool discovery and handling.

const allTools: PostgresTool[] = [
  // Core Analysis & Debugging
  analyzeDatabaseTool,
  debugDatabaseTool,
  
  // Schema & Structure Management (Meta-Tools)
  manageSchemaTools,
  manageFunctionsTool,
  manageTriggersTools,
  manageIndexesTool,
  manageConstraintsTool,
  manageRLSTool,
  
  // User & Security Management
  manageUsersTool,
  
  // Query & Performance Management
  manageQueryTool,
  
  // Data Operations (Enhancement Tools)
  executeQueryTool,
  executeMutationTool,
  executeSqlTool,
  
  // Documentation & Metadata
  manageCommentsTool,
  
  // Data Migration & Monitoring
  exportTableDataTool,
  importTableDataTool,
  copyBetweenDatabasesTool,
  monitorDatabaseTool
];

src/tools/functions.ts:207-236 (helper)

Helper function _enableRLS called by pg_manage_rls handler for enabling RLS on a table.

async function _enableRLS(
  connectionString: string,
  tableName: string,
  schema = 'public'
): Promise<FunctionResult> {
  const db = DatabaseConnection.getInstance();
  
  try {
    await db.connect(connectionString);
    
    await db.query(`ALTER TABLE ${schema}.${tableName} ENABLE ROW LEVEL SECURITY`);
    
    return {
      success: true,
      message: `Row-Level Security enabled on ${schema}.${tableName}`,
      details: {
        table: tableName,
        schema
      }
    };
  } catch (error) {
    return {
      success: false,
      message: `Failed to enable RLS: ${error instanceof Error ? error.message : String(error)}`,
      details: null
    };
  } finally {
    await db.disconnect();
  }
}

src/tools/functions.ts:275-338 (helper)

Helper function _createRLSPolicy for creating RLS policies.

async function _createRLSPolicy(
  connectionString: string,
  tableName: string,
  policyName: string,
  using: string,
  check?: string,
  options: {
    schema?: string;
    command?: 'ALL' | 'SELECT' | 'INSERT' | 'UPDATE' | 'DELETE';
    role?: string;
    replace?: boolean;
  } = {}
): Promise<FunctionResult> {
  const db = DatabaseConnection.getInstance();
  
  try {
    await db.connect(connectionString);
    
    const schema = options.schema || 'public';
    const command = options.command || 'ALL';
    const createOrReplace = options.replace ? 'CREATE OR REPLACE' : 'CREATE';
    
    // Build policy creation SQL
    let sql = `
      ${createOrReplace} POLICY ${policyName}
      ON ${schema}.${tableName}
      FOR ${command}
    `;
    
    // Add role if specified
    if (options.role) {
      sql += ` TO ${options.role}`;
    }
    
    // Add USING expression
    sql += ` USING (${using})`;
    
    // Add WITH CHECK expression if provided
    if (check) {
      sql += ` WITH CHECK (${check})`;
    }
    
    await db.query(sql);
    
    return {
      success: true,
      message: `Policy ${policyName} created successfully on ${schema}.${tableName}`,
      details: {
        table: tableName,
        schema,
        policy: policyName,
        command
      }
    };
  } catch (error) {
    return {
      success: false,
      message: `Failed to create policy: ${error instanceof Error ? error.message : String(error)}`,
      details: null
    };
  } finally {
    await db.disconnect();
  }
}

Tool Definition Quality

B3.1/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It mentions operations but doesn't describe critical behavioral traits: whether these are destructive changes (e.g., dropping policies), authentication requirements (connection string usage), error handling, or side effects. The examples hint at parameter usage but don't explain system impact or safety considerations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is appropriately sized with two sentences: a clear purpose statement followed by concrete examples. It's front-loaded with the core functionality and uses the examples efficiently to illustrate usage without unnecessary elaboration. Every sentence serves a functional purpose.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (12 parameters, multiple operations including potentially destructive ones like 'drop_policy'), no annotations, and no output schema, the description is incomplete. It doesn't address critical context: what the tool returns, error conditions, permission requirements, or the safety profile of different operations. For a database management tool with mutation capabilities, this creates significant gaps for an AI agent.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the schema already documents all 12 parameters thoroughly. The description adds minimal value beyond the schema by listing example parameter combinations in the examples clause, but doesn't provide additional semantic context like parameter interdependencies or operational constraints not captured in the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Manage PostgreSQL Row-Level Security - enable/disable RLS and manage policies.' It specifies the verb ('manage') and resource ('PostgreSQL Row-Level Security') with concrete operations. However, it doesn't explicitly differentiate from sibling tools like pg_manage_constraints or pg_manage_schema, which also manage PostgreSQL database objects.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides implied usage through examples ('Examples: operation="enable" with tableName="users", operation="create_policy" with tableName, policyName, using, check'), showing when to use specific operations. However, it lacks explicit guidance on when to choose this tool over alternatives (e.g., vs. pg_manage_constraints for security vs. constraint management) or prerequisites like database permissions.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/HenkDz/postgresql-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server