Record-level access control

Tutorial

Setting up record-level access control to SQL tables and NoSQL collections.

Background

Roles govern HTTP access to the REST API endpoints in DreamFactory. When you set up a SQL or NoSQL database in the 'Services' tab, no data is accessible by default (unless you are a DreamFactory Admin). For a given role, you can specify which records can be accessed within a particular SQL table or NoSQL collection. You do this by specifying logical criteria called server-side filters.

Learn how to give access to specific records by following the examples below.

Example - Enable HTTP access to records in the Contacts table owned by this authenticated user.

Say we have field in a Contacts table called 'owner_id'. We want to ensure that users for a particular role, call it the 'Sales' role, can only create, read, update, and delete his or her own records (i.e. records where 'owner_id' == the id of the authenticated user).

1. Log into the DreamFactory admin console as an Admin.

2. Click on 'Roles' > 'Create'.

3. In the 'Access' tab, select your SQL database API for 'Service', the table name for 'Component' (here the Contact table), HTTP verbs for 'Access' (here GET, POST, PUT, PATCH, DELETE), and API for 'Requestor'.

4. Click on Show/Hide under 'Advanced Filters', then click on the plus button icon.

5. Enter 'owner_id' under Field (this is a field in your Contacts table), select '=' for Operator, and type '{user.id}' under Value.

This ensures that any user with the 'Sales' role must 1) first authenticate to access the Contacts table; 2) can only create, read, update, and delete records in the Contacts table where the 'owner_id' field is equal to the id of the authenticated user. Note that you can add as many logical rules as you need by clicking the plus button icon and adding additional logical criteria.

Example - Enable HTTP access to records in the Accounts table where 'account_type' = 'Gold' and 'region' = 'East'.

Say we have a field called 'account_type' and another field called 'region' in an Accounts table. We want to ensure that users for a particular role, call it the 'Sales East Division One' role, can only view records in the Accounts table where 'account_type' is 'Gold' and 'region' is 'East' .

1. Log into the DreamFactory admin console as an Admin.

2. Click on 'Roles' > 'Create'.

3. In the 'Access' tab, select your SQL database API for 'Service', the table name for 'Component' (here the Account table), HTTP verbs for 'Access' (here GET, POST, PUT, PATCH, DELETE), and API for 'Requestor'.

4. Click on Show/Hide under 'Advanced Filters', then click on the plus button icon.

5. Enter 'account_type' under Field (this is a field in your Accounts table), select '=' for Operator, and type 'Gold' under Value.

6. Click on the plus button icon again and enter 'region' under field (this is a field in your Accounts table), select '=' for Operator, and type 'East' under Value.

7. Make sure 'AND' is selected (you can select 'AND' for intersection or 'OR' for union of each server-side filter rule)

This ensures that any user with the 'Sales East Division One' role must 1) first authenticate to access the Accounts table 2) can only create, read, update, and delete records in the Accounts table where the 'account_type' field is equal to 'Gold' and the 'region' field is equal to 'East'. Note that you can add as many logical rules as you need by clicking the plus button icon and adding additional logical criteria.