Daml like entitlements off Daml in a DB

If one wanted to build an off ledger ODS to facilitate analytics would y’all recommend to use Row Security Policies on the DB (with interesting implications such as adding users to that DB, that are Daml Party identifiers …) or should one just add columns of signatories , observers (or just witnesses ) and enforce entitlements in client code that access that ODS?

I recommend to add signatories/observers/witnesses columns and filter based on that. The filter logic is very simple (witnesses.contains(user)) so I wouldn’t be super worried about getting it wrong. On the other hand, I don’t think you want to give end users direct access to your database so provisioning them as database users just doesn’t seem very useful and it has a fair amount of operational overhead.