Skip to content

Permissions API

Every data object in Backendless has its own access control list (ACL) - a matrix of operations and principals (application's users or roles). An intersection of an operation and a principal contains a permission which determines whether the principal has the right to execute the operation. These permission could be either grant or deny. Backendless console provides an easy to understand way to see and manage these permissions. For example, the screenshot below demonstrates an ACL matrix for an object. Notice the intersection of a column for the Create operation and the AuthenticatedUser role. The cell contains a green checkmark icon representing that the permission is granted:

permission-matrix

In addition to managing the ACL permissions with Backendless Console there is also Permissions API:

Method Signatures

The following method signatures are used for granting or denying access to a data object for a user, a role, all users, or all roles:

public void GrantForUser<T>( String userId, T dataObject )
public void GrantForUser<T>( String userId, T dataObject, AsyncCallback<Object> responder )
public void DenyForUser<T>( String userId, T dataObject )
public void DenyForUser<T>( String userId, T dataObject, AsyncCallback<Object> responder )
public void GrantForRole<T>( String roleName, T dataObject )
public void GrantForRole<T>( String roleName, T dataObject, AsyncCallback<Object> responder )
public void DenyForRole<T>( String roleName, T dataObject )
public void DenyForRole<T>( String roleName, T dataObject, AsyncCallback<Object> responder )
public void GrantForAllUsers<T>( T dataObject )
public void GrantForAllUsers<T>( T dataObject, AsyncCallback<Object> responder )
public void DenyForAllUsers<T>( Object dataObject )
public void DenyForAllUsers<T>( T dataObject, AsyncCallback<Object> responder )
public void GrantForAllRoles<T>( T dataObject )
public void GrantForAllRoles<T>( T dataObject, AsyncCallback<Object> responder )
public void DenyForAllRoles<T>( T dataObject )
public void DenyForAllRoles<T>( T dataObject, AsyncCallback<Object> responder )

Use these methods for the Data operations (that is, to find, update, and remove the data) performed by DataPermission class, which is available in BackendlessAPI.Persistence namespace.

  • DataPermission.FIND.<method> to set a permission to find/retrieve a data object
  • DataPermission.UPDATE.<method>to set a permission to update a data object
  • DataPermission.REMOVE.<method> to set a permission to remove a data object

To grant access for a user

DataPermission.FIND.GrantForUser( userId, dataObject );
DataPermission.UPDATE.GrantForUser( userId, dataObject );
DataPermission.REMOVE.GrantForUser( userId, dataObject );

where:

  • userId - ID of a user, for which you want to grant the find, update, or remove ¬†permission.
  • dataObject - an object for which you want to grant a permission.

To grant access for a user role

DataPermission.FIND.GrantForRole( roleName, dataObject );
DataPermission.UPDATE.GrantForRole( roleName, dataObject );
DataPermission.REMOVE.GrantForRole( roleName, dataObject );

where:

  • roleName - name of a user role, for which you want to grant the find, update, or remove ¬†permission.
  • dataObject - an object for which you want to grant a permission.

To grant access for all users

DataPermission.FIND.GrantForAllUsers( dataObject );
DataPermission.UPDATE.GrantForAllUsers( dataObject );
DataPermission.REMOVE.GrantForAllUsers( dataObject );

where:

  • dataObject - an object for which you want to grant a permission.

To grant access for all user roles

DataPermission.FIND.GrantForAllRoles( dataObject );
DataPermission.UPDATE.GrantForAllRoles( dataObject );
DataPermission.REMOVE.GrantForAllRoles( dataObject );

where:

  • dataObject - an object for which you want to grant a permission.

To deny access for a user

DataPermission.FIND.DenyForUser( userId, dataObject );
DataPermission.UPDATE.DenyForUser( userId, dataObject );
DataPermission.REMOVE.DenyForUser( userId, dataObject );

where:

  • userId - ID of a user, for which you want to deny a permission.
  • dataObject - an object for which you want to deny a permission.

To deny access for a user role

DataPermission.FIND.DenyForRole( roleName, dataObject );
DataPermission.UPDATE.DenyForRole( roleName, dataObject );
DataPermission.REMOVE.DenyForRole( roleName, dataObject );

where:

  • roleName -name of ¬†a user role, for which you want to deny a permission.
  • dataObject - an object for which you want to deny a permission.

To deny access for all users

DataPermission.FIND.DenyForAllUsers( dataObject );
DataPermission.UPDATE.DenyForAllUsers( dataObject );
DataPermission.REMOVE.DenyForAllUsers( dataObject );

where:

  • dataObject - an object for which you want to deny a permission.

To deny access for all user roles

DataPermission.FIND.DenyForAllRoles( dataObject );
DataPermission.UPDATE.DenyForAllRoles( dataObject );
DataPermission.REMOVE.DenyForAllRoles( dataObject );

where:

  • dataObject - an object for which you want to deny a permission.

Example

The example below demonstrates how to deny retrieving an object for all roles. The code loads an object from the Address table and then uses the object reference to deny any FIND-related operation for all roles.

AsyncCallback<Object> denyCallback = new AsyncCallback<Object>(
  result =>
  {
    System.Console.WriteLine( "Permission has been denied for all roles" );
  },
  fault =>
  {
    System.Console.WriteLine( "Error - " + fault );
  } );

AsyncCallback<Address> searchCallback = new AsyncCallback<Address>(
  result =>
  {
    DataPermission.FIND.DenyForAllRoles( result, denyCallback );
  },
  fault =>
  {
    System.Console.WriteLine( "Error - " + fault );
  } )

Backendless.Data.Of<Address>().FindFirst( searchCallback );