Access Policies

Access policies determine specific database permissions for a single address.

Access modes will set permission defaults for all addresses. If you want different, more fine-grained permissions for each schema Model and each address, you need to set Access Policies. Access Policies allow you to define which fields inside a model the address can read and/or write.

Only the database owner can create or update Access Policies.

Access Policies have priority over Access Modes. For instance, if the Access Mode is set to PRIVATE but there's an Access Policy that allows a user to read a field, the field will be readable by that user and the rest of the users won't be able to read or write any fields.

Setting Access Policies comes in handy specially when you have a database per user, where you can then provide the user with the alternative to give access to other people to read or write certain parts of the database. When you have a single database for your application, you can use this feature to set specific permissions on the fly depending on user interaction (e.g. when a user wants to give access to a personal profile to another user).

Policies can be defined per Model and Field (FIELD_BASED) or allow one user to read and write any objects and fields (ALLOW_FULL_ACCESS)

Set Access Policies

curl -XPOST "https://{COMPANY_ID}.gtw.cedalio.io/access_policies" \
-H 'Authorization: Bearer 0x22CD36DDB63A2373EAA89F07DEF5B09E72078DEA' \
-H "Content-type: application/json" \
-d '[{ "address": "0x934BC33B3A12F848FD712C1824174DE3F942E09A", \
"policy_type": "FIELD_BASED", \
"access_rules": [{ "object_type_name": "Post", "fields": \
[{ "field_name": "id", "read": "true", "write": false }] }]}]}]'

const response = await cedalioSdk.setAccessPolicies({
  deploymentId,
  policies: [{
    address: '0x934BC33B3A12F848FD712C1824174DE3F942E09A',
    policyType: 'FIELD_BASED',
    accessRules: [{
      objectTypeName: 'Post',
      fields: [{
        fieldName: 'id',
        read: true,
        write: false
      }]
    }]
  }]
});

You can also choose to give full access to read and write the schema to a specific address:

curl -XPOST "https://{DEPLOYMENT_ID}.gtw.cedalio.io/access_policies" \
-H 'Authorization: Bearer 0x22CD36DDB63A2373EAA89F07DEF5B09E72078DEA' \
-H "Content-type: application/json" \
-d '[{ "address": "0x934BC33B3A12F848FD712C1824174DE3F942E09A", \
policyType: "ALLOW_FULL_ACCESS"}]'

const response = await cedalioSdk.setAccessPolicies({
  deploymentId,
  policies: [{
    address: '0x934BC33B3A12F848FD712C1824174DE3F942E09A',
    policyType: 'ALLOW_FULL_ACCESS'
  }]
});

Access Policies conflict when they set different rules for the same address, model and field.

When providing two or more conflicting Access Policies, the last one will prevail. This also implies that, in order to change a Policy, you need to call the Set Policy endpoint again with the new values, which will override the old ones.

Get Access Policy for an address

When the Policy type is ALLOW_FULL_ACCESS the response also returns all the access rules derived from this permission.

Request

curl -XGET "https://{DEPLOYMENT_ID}.gtw.cedalio.io/access_policies/0x934BC33B3A12F848FD712C1824174DE3F942E09A" \
-H 'Authorization: Bearer 0x22CD36DDB63A2373EAA89F07DEF5B09E72078DEA' \
-H "Content-type: application/json"

Response

{
  "policy_type": "ALLOW_FULL_ACCESS",
  "access_rules": [
    {
      "object_type_name": "User",
      "fields": [
        {
          "field_name": "name",
          "write": true,
          "read": true
        }
      ]
    },
    {
      "object_type_name": "User",
      "fields": [
        {
          "field_name": "id",
          "write": true,
          "read": true
        }
      ]
    }
  ]
}

Request

const response = await cedalioSdk.getAccessPoliciesForUser({
  deploymentId,
  address: '0x934BC33B3A12F848FD712C1824174DE3F942E09A'
});

Response

{
      ok: true,
      status: 200,
      data: [
        {
          policyType: 'ALLOW_FULL_ACCESS',
          accessRules: [
            {
              objectTypeName: 'User',
              fields: [
                {
                  fieldName: 'name',
                  write: true,
                  read: true
                }
              ]
            },
            {
              objectTypeName: 'User',
              fields: [
                {
                  fieldName: 'id',
                  write: true,
                  read: true
                }
              ]
            }
          ]
        },
        {
          policyType: 'FIELD_BASED',
          accessRules: [
            {
              objectTypeName: 'Post',
              fields: [
                {
                  fieldName: 'id',
                  write: false,
                  read: true
                }
              ]
            }
          ]
        }
      ]
}

PreviousAccess Mode NextDashboard

Last updated 4 months ago