Record-level access control

From DreamFactory
Jump to: navigation, search
DreamFactoryTutorialsRecord-level access control
 
Line 13: Line 13:
 
Say we have field in a Contacts table called 'owner_id'. We want to ensure that users for a particular role, call it the 'Sales' role, can only create, read, update, and delete his or her own records (i.e. records where 'owner_id' == the id of the authenticated user).
 
Say we have field in a Contacts table called 'owner_id'. We want to ensure that users for a particular role, call it the 'Sales' role, can only create, read, update, and delete his or her own records (i.e. records where 'owner_id' == the id of the authenticated user).
  
1. Log into the DreamFactory admin console as an Admin.
+
:1. Log into the DreamFactory admin console as an Admin.
2. Click on 'Roles' > 'Create'.
+
:2. Click on 'Roles' > 'Create'.
3. In the 'Access' tab, select your SQL database API for 'Service', the table name for 'Component' (here the Contact table), HTTP verbs for 'Access' (here GET, POST, PUT, PATCH, DELETE), and API for 'Requestor'.  
+
:3. In the 'Access' tab, select your SQL database API for 'Service', the table name for 'Component' (here the Contact table), HTTP verbs for 'Access' (here GET, POST, PUT, PATCH, DELETE), and API for 'Requestor'.  
4. Click on Show/Hide under 'Advanced Filters', then click on the plus button icon.
+
:4. Click on Show/Hide under 'Advanced Filters', then click on the plus button icon.
5. Enter 'owner_id' under Field (this is a field in your Contacts table), select '=' for Operator, and type '{user.id}' under Value.  
+
:5. Enter 'owner_id' under Field (this is a field in your Contacts table), select '=' for Operator, and type '{user.id}' under Value.  
  
 
This ensures that any user with the 'Sales' role must 1) first authenticate to access the Contacts table; 2) can only create, read, update, and delete records in the Contacts table where the 'owner_id' field is equal to the id of the authenticated user. Note that you can add as many logical rules as you need by clicking the plus button icon and adding additional logical criteria.
 
This ensures that any user with the 'Sales' role must 1) first authenticate to access the Contacts table; 2) can only create, read, update, and delete records in the Contacts table where the 'owner_id' field is equal to the id of the authenticated user. Note that you can add as many logical rules as you need by clicking the plus button icon and adding additional logical criteria.
Line 29: Line 29:
 
Say we have a field called 'account_type' and another field called 'region' in an Accounts table. We want to ensure that users for a particular role, call it the 'Sales East Division One' role, can only view records in the Accounts table where 'account_type' is 'Gold' and 'region' is 'East' .
 
Say we have a field called 'account_type' and another field called 'region' in an Accounts table. We want to ensure that users for a particular role, call it the 'Sales East Division One' role, can only view records in the Accounts table where 'account_type' is 'Gold' and 'region' is 'East' .
  
1. Log into the DreamFactory admin console as an Admin.
+
:1. Log into the DreamFactory admin console as an Admin.
2. Click on 'Roles' > 'Create'.
+
:2. Click on 'Roles' > 'Create'.
3. In the 'Access' tab, select your SQL database API for 'Service', the table name for 'Component' (here the Account table), HTTP verbs for 'Access' (here GET, POST, PUT, PATCH, DELETE), and API for 'Requestor'.  
+
:3. In the 'Access' tab, select your SQL database API for 'Service', the table name for 'Component' (here the Account table), HTTP verbs for 'Access' (here GET, POST, PUT, PATCH, DELETE), and API for 'Requestor'.  
4. Click on Show/Hide under 'Advanced Filters', then click on the plus button icon.
+
:4. Click on Show/Hide under 'Advanced Filters', then click on the plus button icon.
5. Enter 'account_type' under Field (this is a field in your Accounts table), select '=' for Operator, and type 'Gold' under Value.  
+
:5. Enter 'account_type' under Field (this is a field in your Accounts table), select '=' for Operator, and type 'Gold' under Value.  
6. Click on the plus button icon again and enter 'region' under field (this is a field in your Accounts table), select '=' for Operator, and type 'East' under Value.
+
:6. Click on the plus button icon again and enter 'region' under field (this is a field in your Accounts table), select '=' for Operator, and type 'East' under Value.
7. Make sure 'AND' is selected (you can select 'AND' for intersection or 'OR' for union of each server-side filter rule)<br><br>
+
:7. Make sure 'AND' is selected (you can select 'AND' for intersection or 'OR' for union of each server-side filter rule)<br><br>
  
 
This  ensures that any user with the 'Sales East Division One' role must 1) first authenticate to access the Accounts table 2) can only create, read, update, and delete records in the Accounts table where the 'account_type' field is equal to 'Gold' and the 'region' field is equal to 'East'. Note that you can add as many logical rules as you need by clicking the plus button icon and adding additional logical criteria.
 
This  ensures that any user with the 'Sales East Division One' role must 1) first authenticate to access the Accounts table 2) can only create, read, update, and delete records in the Accounts table where the 'account_type' field is equal to 'Gold' and the 'region' field is equal to 'East'. Note that you can add as many logical rules as you need by clicking the plus button icon and adding additional logical criteria.

Latest revision as of 18:18, 3 February 2016

Tutorial

Setting up record-level access control to SQL tables and NoSQL collections.

Background

Roles govern HTTP access to the REST API endpoints in DreamFactory. When you set up a SQL or NoSQL database in the 'Services' tab, no data is accessible by default (unless you are a DreamFactory Admin). For a given role, you can specify which records can be accessed within a particular SQL table or NoSQL collection. You do this by specifying logical criteria called server-side filters.

Learn how to give access to specific records by following the examples below.

Example - Enable HTTP access to records in the Contacts table owned by this authenticated user.

Say we have field in a Contacts table called 'owner_id'. We want to ensure that users for a particular role, call it the 'Sales' role, can only create, read, update, and delete his or her own records (i.e. records where 'owner_id' == the id of the authenticated user).

1. Log into the DreamFactory admin console as an Admin.
2. Click on 'Roles' > 'Create'.
3. In the 'Access' tab, select your SQL database API for 'Service', the table name for 'Component' (here the Contact table), HTTP verbs for 'Access' (here GET, POST, PUT, PATCH, DELETE), and API for 'Requestor'.
4. Click on Show/Hide under 'Advanced Filters', then click on the plus button icon.
5. Enter 'owner_id' under Field (this is a field in your Contacts table), select '=' for Operator, and type '{user.id}' under Value.

This ensures that any user with the 'Sales' role must 1) first authenticate to access the Contacts table; 2) can only create, read, update, and delete records in the Contacts table where the 'owner_id' field is equal to the id of the authenticated user. Note that you can add as many logical rules as you need by clicking the plus button icon and adding additional logical criteria.


Roles-owner-id-filter.png

Example - Enable HTTP access to records in the Accounts table where 'account_type' = 'Gold' and 'region' = 'East'.

Say we have a field called 'account_type' and another field called 'region' in an Accounts table. We want to ensure that users for a particular role, call it the 'Sales East Division One' role, can only view records in the Accounts table where 'account_type' is 'Gold' and 'region' is 'East' .

1. Log into the DreamFactory admin console as an Admin.
2. Click on 'Roles' > 'Create'.
3. In the 'Access' tab, select your SQL database API for 'Service', the table name for 'Component' (here the Account table), HTTP verbs for 'Access' (here GET, POST, PUT, PATCH, DELETE), and API for 'Requestor'.
4. Click on Show/Hide under 'Advanced Filters', then click on the plus button icon.
5. Enter 'account_type' under Field (this is a field in your Accounts table), select '=' for Operator, and type 'Gold' under Value.
6. Click on the plus button icon again and enter 'region' under field (this is a field in your Accounts table), select '=' for Operator, and type 'East' under Value.
7. Make sure 'AND' is selected (you can select 'AND' for intersection or 'OR' for union of each server-side filter rule)

This ensures that any user with the 'Sales East Division One' role must 1) first authenticate to access the Accounts table 2) can only create, read, update, and delete records in the Accounts table where the 'account_type' field is equal to 'Gold' and the 'region' field is equal to 'East'. Note that you can add as many logical rules as you need by clicking the plus button icon and adding additional logical criteria.


Roles-account-type-filter.png