[encima]

Have you checked out this repo: https://github.com/supabase-community/supabase-custom-claims?

The "raw_app_meta_data" stored for a user is not writeable by the user, so you can store roles and/or privileges in there.

[Sai_]

Thanks for sharing. Wasn’t aware of this. Will check it out today.

For now, I figured I’d have an BEFORE UPDATE trigger which compares the md5(NEW.privileges::text) with md5(OLD.privileges::text) and raises an error if they don’t match.

Not sure how to bypass the trigger for service accounts.