Shift Left Database Security: Roles, Permissions, and Policies as Code
Most teams treat database security as something that happens outside the software development lifecycle.
Roles, GRANT / REVOKE statements, and row-level security policies are applied directly to the database
through one-off scripts or runbooks. They are rarely reviewed alongside the application code that depends on
them or tested against a real instance, leading to drift from environment to environment.
Atlas closes that gap. Roles, users, permissions, default privileges, and row-level security policies are defined as code, stored in version control, planned automatically, validated in CI, and applied to your databases through the same workflow as the rest of your schema. Security moves left into the pull request, where it can be reviewed and tested before it reaches production.
Supported Workflows
Atlas manages security objects through the same two workflows it uses for the rest of the schema, in either Atlas HCL or plain SQL. Pick the one that matches how the rest of your migrations are managed.
Declarative Migrations
Define the desired state (roles, grants, policies) and let Atlas plan and apply the diff with atlas schema apply. Use atlas schema plan to pre-plan and approve changes in CI.
Versioned Migrations
Generate explicit migration files for security changes with atlas migrate diff, review them in a pull request, and apply them with atlas migrate apply alongside your other migrations.
Get Started by Database
Atlas supports security as code for the most common open-source and cloud databases. Each guide walks
through configuring atlas.hcl, defining roles and permissions in HCL or SQL, and applying changes safely.
Atlas understands database-specific concepts: cloud-managed roles on RDS and Cloud SQL, row-level security
on PostgreSQL, row policies and quotas on ClickHouse, login-mapped users on SQL Server, and more.
PostgreSQL
Declarative Security
Manage roles, users, GRANTs, and row-level security policies as the desired state. External roles like rds_superuser and pg_read_all_data are recognized so Atlas only generates the GRANT, never a CREATE ROLE.
Versioned Security
Generate explicit migration files for role, GRANT, and RLS policy changes and apply them through CI/CD alongside your schema migrations.
Default Privileges
Manage ALTER DEFAULT PRIVILEGES and the implicit PUBLIC grants so newly created objects inherit the right access automatically.
Row-Level Security Policy
Prevent missing RLS, detect BYPASSRLS drift, test tenant isolation, and block unsafe policy changes in CI.
MySQL
Declarative Security
Define MySQL users with their host scope (e.g. 'app'@'10.%'), roles (MySQL 8+), and per-table GRANTs as code. Atlas reconciles the live database with the desired state.
Versioned Security
Generate versioned migration files for users, host-scoped grants, and roles, and apply them through your migration pipeline.
ClickHouse
SQL Server
Declarative Security
Manage database roles with member_of inheritance, login-mapped users, schema-scoped permissions, and EXECUTE grants on functions and procedures as the desired state.
Versioned Security
Generate migration files for roles, login-mapped users, GRANT/REVOKE, and EXECUTE permissions, and apply them through versioned migrations.
Schema HCL Definitions
Roles, users, permissions, and policies can be authored in either Atlas HCL or plain SQL. Use the references below to look up the exact syntax for each block.
Roles and Permissions
Reference for the role, user, and permission blocks Atlas uses to manage database access as code.
IAM Auth (AWS RDS)
Configure AWS RDS users to authenticate with short-lived IAM tokens instead of passwords.
Permissions (GRANT/REVOKE)
Express GRANT and REVOKE statements as permission blocks that Atlas reconciles against the live database.
Sensitive Information
Handle passwords and other sensitive data in your schema with masking, runtime variables, and secret stores.
IAM Authentication
Cloud-managed databases let Atlas authenticate with short-lived IAM tokens instead of static passwords.
Define a data source in atlas.hcl and reference its output in your connection URL.
Policies as Code
Database security in 2026 has new dimensions that did not exist five years ago. AI coding assistants like Cursor, Claude Code, and GitHub Copilot now write schema changes directly, and the files they generate are merged faster than any human review cycle can keep up with. At the same time, audit frameworks (SOC 2, ISO 27002, PCI-DSS, HIPAA) expect evidence that every database change was reviewed, approved, and traceable to a person, which is exactly what manual review at AI speed cannot deliver.
Atlas turns each of these concerns into a policy that lives in your repo, runs in CI, and produces an audit trail by default.
AI Coding Assistant Guardrails
Cursor, Claude Code, and Copilot generate schema changes that go straight into PRs. Atlas lints, plans, and tests every change as a deterministic safety layer before merge.
Custom Schema Policy
Encode your security rules as HCL: forbid GRANT to PUBLIC, require RLS on tenant-scoped tables, ban plaintext password columns, enforce audit-column conventions. Violations fail CI.
Schema Ownership Policy
Map GitHub users and teams to schema objects. A PR that crosses team boundaries (or that an AI agent touches without authorization) fails CI before merge. Codifies least-privilege at the schema level.
Drift Detection
Detect unauthorized changes the moment the live database diverges from the declared schema: out-of-band GRANTs, dropped policies, or insider DDL. Catches what the audit log misses.