receiving a schema of user interface comprising an arrangement of interface elements, each element configured to display data from cells of a database;

receiving a user permission for the user interface, the user permission specifying one or more users allowed to access the user interface;

receiving an element permission for an interface element of the user interface, the element permission specifying data of the interface element accessible to users of the user interface;

generating a policy object for the user interface based on the user permission and the element permission, the policy object specifying which cells of the database can be accessed by the user interface;

receiving a query from a client device associated with a user to implement a local instance of the user interface; and

serving the query according to the policy object, wherein serving the query comprises providing data from the database that the user interface provides access to without providing other data from the database that should not be accessible according to the policy object.