insufficient_privilege new row violates row-level security policy for table “…” — 42501

Symptoms

An INSERT/UPDATE produced a row that does not satisfy the table’s row-level security (RLS) WITH CHECK policy. PostgreSQL blocks it with SQLSTATE 42501 (insufficient_privilege).

• RLS is enabled and a WITH CHECK policy rejected the new row.
• Common when a row’s tenant/owner column doesn’t match the current user.
• The message names the table.

What the server log shows

ERROR:  new row violates row-level security policy for table "documents"

Why PostgreSQL raises this — what the manual says

Section 5.9 Row Security Policies:

“In addition to the SQL-standard privilege system available through GRANT, tables can have row security policies that restrict, on a per-user basis, which rows can be returned by normal queries or inserted, updated, or deleted by data modification commands.”

When RLS is enabled, each new/updated row must satisfy the applicable WITH CHECK policy for the current role. A row that fails the check is not permitted, and PostgreSQL reports 42501.

Common causes

• Inserting a row whose owner/tenant column doesn’t match the policy.
• A missing session setting the policy relies on (e.g. current_setting('app.tenant')).
• An UPDATE moving a row outside the user’s allowed set.

How to fix it

1. Set the row’s policy-relevant columns to values allowed for the current role.
2. Ensure any session variables the policy uses are set correctly.
3. Review the policy: SELECT * FROM pg_policies WHERE tablename='documents';.

Related & next steps

• SQLSTATE 42501 — Insufficient Privilege (full reference)
• Message: new row violates RLS policy (USING expression)
• Glossary: Row-level security

Reference: PostgreSQL 18 Section 5.9 “Row Security Policies”.