In one of my previous posts I described how to restrict access to all data for “guest” users. The Backendless security model lets you control access to data tables, or more generally “asset containers”, at the role and operation levels. That means an application developer can set up security restrictions for API operations on a specific data table for a security role. For example, a job/resume search application may have two application roles: Employer and JobSeeker. Suppose there is a table called JobListing which contains job listing objects submitted by the users in the Employer role. Actions permitted on the table for the JobSeeker role may look like these:
a JobSeeker cannot:
- Write to the JobListing table
- Update the JobListing table
- Delete from the JobListing table
To set up these restrictions in Backendless:
- Create developer-defined permissions – JobSeeker and Employer.
- Click the Data icon and create/select the JobListing table.
- Click the Table Schema and Permissions button located in the top right corner.
- Click the Roles Permissions menu item.
- Make the selections as shown in the image below by clicking the icons in the cells:
Notice the NotAuthenticatedUser also is not allowed to execute any of API operations. As a result of the setup above, any user in the JobSeeker role will not be able to write to or delete from the JobListing table.
Btw, you might be wondering about the Permission column in the user interface. It is indeed a very handy feature on its own and I will be reviewing it in a future post – just make sure to deny access to it for the JobSeeker role for now.