insufficient_privilege new row violates row-level security policy (USING expression) for table “…” — 42501

Symptoms

An UPDATE produced a row that does not satisfy the policy’s USING expression (the visibility condition) for the table. With RLS enabled, PostgreSQL blocks it with SQLSTATE 42501 (insufficient_privilege).

• The resulting row would not be visible under the USING expression.
• Specific to policies that use USING for write checks.
• Common when an UPDATE moves a row out of the user’s scope.

What the server log shows

ERROR:  new row violates row-level security policy (USING expression) for table "documents"

Why PostgreSQL raises this — what the manual says

Section 5.9 Row Security Policies:

“A policy can be specified to apply to ALL commands, or to SELECT, INSERT, UPDATE, or DELETE.”

When a policy has no separate WITH CHECK, its USING expression also validates new/updated rows. If the resulting row fails that expression, the write is disallowed and PostgreSQL reports 42501.

Common causes

• An UPDATE changing a row so it no longer matches the USING expression.
• A policy relying on USING for both read and write checks.
• Session context the policy depends on being unset/incorrect.

How to fix it

1. Keep the updated row within the bounds the USING expression allows.
2. Add an explicit WITH CHECK policy if write rules should differ from read rules.
3. Verify the session settings the policy references.

Related & next steps

• SQLSTATE 42501 — Insufficient Privilege (full reference)
• Message: new row violates RLS policy for table
• Glossary: Row-level security

Reference: PostgreSQL 18 Section 5.9 “Row Security Policies”.