Permissions API¶
Every data object in Backendless has its own access control list (ACL) - a matrix of operations and principals (application's users or roles). An intersection of an operation and a principal contains a permission which determines whether the principal has the right to execute the operation. These permission could be either grant or deny. Backendless console provides an easy to understand way to see and manage these permissions. For example, the screenshot below demonstrates an ACL matrix for an object. Notice the intersection of a column for the Create
operation and the AuthenticatedUser
role. The cell contains a green checkmark icon representing that the permission is granted:
In addition to managing the ACL permissions with Backendless Console there is also Permissions API:
Method Signatures¶
The following method signatures are used for granting or denying access to a data object for a user, a role, all users, or all roles:
public void GrantForUser<T>( String userId, T dataObject )
public void GrantForUser<T>( String userId, T dataObject, AsyncCallback<Object> responder )
public void DenyForUser<T>( String userId, T dataObject )
public void DenyForUser<T>( String userId, T dataObject, AsyncCallback<Object> responder )
public void GrantForRole<T>( String roleName, T dataObject )
public void GrantForRole<T>( String roleName, T dataObject, AsyncCallback<Object> responder )
public void DenyForRole<T>( String roleName, T dataObject )
public void DenyForRole<T>( String roleName, T dataObject, AsyncCallback<Object> responder )
public void GrantForAllUsers<T>( T dataObject )
public void GrantForAllUsers<T>( T dataObject, AsyncCallback<Object> responder )
public void DenyForAllUsers<T>( Object dataObject )
public void DenyForAllUsers<T>( T dataObject, AsyncCallback<Object> responder )
public void GrantForAllRoles<T>( T dataObject )
public void GrantForAllRoles<T>( T dataObject, AsyncCallback<Object> responder )
public void DenyForAllRoles<T>( T dataObject )
public void DenyForAllRoles<T>( T dataObject, AsyncCallback<Object> responder )
Use these methods for the Data operations (that is, to find, update, and remove the data) performed by DataPermission
class, which is available in BackendlessAPI.Persistence
namespace.
DataPermission.FIND.<method>
to set a permission to find/retrieve a data objectDataPermission.UPDATE.<method>
to set a permission to update a data objectDataPermission.REMOVE.<method>
to set a permission to remove a data object
To grant access for a user¶
DataPermission.FIND.GrantForUser( userId, dataObject );
DataPermission.UPDATE.GrantForUser( userId, dataObject );
DataPermission.REMOVE.GrantForUser( userId, dataObject );
where:
- userId - ID of a user, for which you want to grant the find, update, or remove permission.
- dataObject - an object for which you want to grant a permission.
To grant access for a user role¶
DataPermission.FIND.GrantForRole( roleName, dataObject );
DataPermission.UPDATE.GrantForRole( roleName, dataObject );
DataPermission.REMOVE.GrantForRole( roleName, dataObject );
where:
- roleName - name of a user role, for which you want to grant the find, update, or remove permission.
- dataObject - an object for which you want to grant a permission.
To grant access for all users¶
DataPermission.FIND.GrantForAllUsers( dataObject );
DataPermission.UPDATE.GrantForAllUsers( dataObject );
DataPermission.REMOVE.GrantForAllUsers( dataObject );
where:
- dataObject - an object for which you want to grant a permission.
To grant access for all user roles¶
DataPermission.FIND.GrantForAllRoles( dataObject );
DataPermission.UPDATE.GrantForAllRoles( dataObject );
DataPermission.REMOVE.GrantForAllRoles( dataObject );
where:
- dataObject - an object for which you want to grant a permission.
To deny access for a user¶
DataPermission.FIND.DenyForUser( userId, dataObject );
DataPermission.UPDATE.DenyForUser( userId, dataObject );
DataPermission.REMOVE.DenyForUser( userId, dataObject );
where:
- userId - ID of a user, for which you want to deny a permission.
- dataObject - an object for which you want to deny a permission.
To deny access for a user role¶
DataPermission.FIND.DenyForRole( roleName, dataObject );
DataPermission.UPDATE.DenyForRole( roleName, dataObject );
DataPermission.REMOVE.DenyForRole( roleName, dataObject );
where:
- roleName
-
name of a user role, for which you want to deny a permission. - dataObject - an object for which you want to deny a permission.
To deny access for all users¶
DataPermission.FIND.DenyForAllUsers( dataObject );
DataPermission.UPDATE.DenyForAllUsers( dataObject );
DataPermission.REMOVE.DenyForAllUsers( dataObject );
where:
- dataObject - an object for which you want to deny a permission.
To deny access for all user roles¶
DataPermission.FIND.DenyForAllRoles( dataObject );
DataPermission.UPDATE.DenyForAllRoles( dataObject );
DataPermission.REMOVE.DenyForAllRoles( dataObject );
where:
- dataObject - an object for which you want to deny a permission.
Example¶
The example below demonstrates how to deny retrieving an object for all roles. The code loads an object from the Address table and then uses the object reference to deny any FIND-related operation for all roles.
AsyncCallback<Object> denyCallback = new AsyncCallback<Object>(
result =>
{
System.Console.WriteLine( "Permission has been denied for all roles" );
},
fault =>
{
System.Console.WriteLine( "Error - " + fault );
} );
AsyncCallback<Address> searchCallback = new AsyncCallback<Address>(
result =>
{
DataPermission.FIND.DenyForAllRoles( result, denyCallback );
},
fault =>
{
System.Console.WriteLine( "Error - " + fault );
} )
Backendless.Data.Of<Address>().FindFirst( searchCallback );