Skip to content

Permissions API

Every data object in Backendless has its own access control list (ACL) - a matrix of operations and principals (application's users or roles). An intersection of an operation and a principal contains a permission which determines whether the principal has the right to execute the operation. These permission could be either grant or deny.

Backendless console provides an easy to understand way to see and manage these permissions. For example, the screenshot below demonstrates an ACL matrix for an object. Notice the intersection of a column for the Create operation and the AuthenticatedUser role. The cell contains a green checkmark icon representing that the permission is granted:

permission-matrix

In addition to managing the ACL permissions with Backendless Console there is also Permissions API:

Methods

Methods described further are used for granting or denying access to a data object for a user, a role, all users, or all roles.

The PermissionOperation enum provides a set of options for operations to manage permissions for an object stored in a data table. Each option represents a specific operation that can be performed on the object's permissions:

// Permission operations
@objc public enum PermissionOperation: Int, Codable {
    case UPDATE
    case FIND
    case REMOVE
    case LOAD_RELATIONS
    case ADD_RELATION
    case DELETE_RELATION
    case UPSERT
}
typedef SWIFT_ENUM(NSInteger, PermissionOperation, closed) {
    PermissionOperationUPDATE = 0,
    PermissionOperationFIND = 1,
    PermissionOperationREMOVE = 2,
    PermissionOperationLOAD_RELATIONS = 3,
    PermissionOperationADD_RELATION = 4,
    PermissionOperationDELETE_RELATION = 5,
    PermissionOperationUPSERT = 6
};

To grant access for a user

@interface Movie: NSObject
@property (string, nonatomic) NSString *objectId;
@end


Movie *movie = [Movie new];
movie.objectId = @"BDB25104-E4B2-4B94-8ED9-437D1F239060";

[Backendless.shared.data.permissions grantForUserWithUserId:@"BC019481-A543-48EB-B821-47508B68B7A1" entity:movie operation:PermissionOperationUPDATE responseHandler:^{
    // handle response
} errorHandler:^(Fault *fault) {
    // handle error
}];
@objcMembers class Movie: NSObject {
    var objectId: String?
}

let movie = Movie()
movie.objectId = "BDB25104-E4B2-4B94-8ED9-437D1F239060"

Backendless.shared.data.permissions.grantForUser(userId: "BC019481-A543-48EB-B821-47508B68B7A1", entity: movie, operation: .UPDATE, responseHandler: {
    // handle response
}, errorHandler: { fault in
    // handle error
})

where:

Argument                Description
userId A user ID, for which you want to grant a permission.
entity A data object for which you want to grant the permission.
operation Identifies a specific permission to grant to a user. Refer to the PermissionOperation enum to see all options.

Codeless Reference

data_permissions_api_1

where:

Argument                Description
GRANT/DENY Specifies whether the permission must be granted or revoked.
FIND/REMOVE/UPDATE Identifies the permission type to grant to a user.
data object A data object for which you want to grant the permission.
user id A user ID, for which you want to grant the permission.
return result When this checkbox is selected, the operation returns an empty string value.
objectId Required property. Represents the unique identifier of the object in the data table.
__class Required property. Represents the name of the data table where the operation takes place.

To grant access for a user role

@interface Movie: NSObject
@property (string, nonatomic) NSString *objectId;
@end

Movie *movie = [Movie new];
movie.objectId = @"BDB25104-E4B2-4B94-8ED9-437D1F239060";

[Backendless.shared.data.permissions grantForRoleWithRole:@"TrialUser" entity:movie operation:PermissionOperationUPDATE responseHandler:^{
    // handle response
} errorHandler:^(Fault *fault) {
    // handle error
}];
@objcMembers class Movie: NSObject {
    var objectId: String?
}

let movie = Movie()
movie.objectId = "BDB25104-E4B2-4B94-8ED9-437D1F239060"

Backendless.shared.data.permissions.grantForRole(role: "TrialUser", entity: movie, operation: .UPDATE, responseHandler: {
    // handle response
}, errorHandler: { fault in
    // handle error
})

where:

Argument                Description
role A role name, for which you want to grant a permission.
entity A data object for which you want to grant the permission.
operation Identifies a specific permission to grant to a role. Refer to the PermissionOperation enum to see all options.

Codeless Reference

data_permissions_api_2

where:

Argument                Description
GRANT/DENY Specifies whether the permission must be granted or revoked.
FIND/REMOVE/UPDATE Identifies the permission type to grant to a role.
data object A data object for which you want to grant the permission.
role name A role name, for which you want to grant a permission.
return result When this checkbox is selected, the operation returns an empty string value.
objectId Required property. Represents the unique identifier of the object in the data table.
__class Required property. Represents the name of the data table where the operation takes place.

To grant access for all users

@interface Movie: NSObject
@property (string, nonatomic) NSString *objectId;
@end

Movie *movie = [Movie new];
movie.objectId = @"BDB25104-E4B2-4B94-8ED9-437D1F239060";

[Backendless.shared.data.permissions grantForAllUsersWithEntity:movie operation:PermissionOperationUPDATE responseHandler:^{
    // handle response
} errorHandler:^(Fault *fault) {
    // handle error
}];
@objcMembers class Movie: NSObject {
    var objectId: String?
}

let movie = Movie()
movie.objectId = "BDB25104-E4B2-4B94-8ED9-437D1F239060"

Backendless.shared.data.permissions.grantForAllUsers(entity: movie, operation: .UPDATE, responseHandler: {
    // handle response
}, errorHandler: { fault in
    // handle error
})

where:

Argument                Description
entity A data object for which you want to grant the permission.
operation Identifies a specific permission to grant to all users. Refer to the PermissionOperation enum to see all options.

Codeless Reference

data_permissions_api_3

where:

Argument                Description
GRANT/DENY Specifies whether the permission must be granted or revoked.
FIND/REMOVE/UPDATE Identifies the permission type to grant to all users.
data object A data object for which you want to grant the permission.
return result When this checkbox is selected, the operation returns an empty string value.
objectId Required property. Represents the unique identifier of the object in the data table.
__class Required property. Represents the name of the data table where the operation takes place.

To grant access for all roles

@interface Movie: NSObject
@property (string, nonatomic) NSString *objectId;
@end

Movie *movie = [Movie new];
movie.objectId = @"BDB25104-E4B2-4B94-8ED9-437D1F239060";

[Backendless.shared.data.permissions grantForAllRolesWithEntity:movie operation:PermissionOperationUPDATE responseHandler:^{
    // handle response
} errorHandler:^(Fault *fault) {
    // handle error
}];
@objcMembers class Movie: NSObject {
    var objectId: String?
}

let movie = Movie()
movie.objectId = "BDB25104-E4B2-4B94-8ED9-437D1F239060"

Backendless.shared.data.permissions.grantForAllRoles(entity: movie, operation: .UPDATE, responseHandler: {
    // handle response
}, errorHandler: { fault in
    // handle error
})

where:

Argument                Description
entity A data object for which you want to grant the permission.
operation Identifies a specific permission to grant to all roles. Refer to the PermissionOperation enum to see all options.

Codeless Reference

data_permissions_api_4

where:

Argument                Description
GRANT/DENY Specifies whether the permission must be granted or revoked.
FIND/REMOVE/UPDATE Identifies the permission type to grant to all roles.
data object A data object for which you want to grant the permission.
return result When this checkbox is selected, the operation returns an empty string value.
objectId Required property. Represents the unique identifier of the object in the data table.
__class Required property. Represents the name of the data table where the operation takes place.

To deny access for a user

@interface Movie: NSObject
@property (string, nonatomic) NSString *objectId;
@end

Movie *movie = [Movie new];
movie.objectId = @"BDB25104-E4B2-4B94-8ED9-437D1F239060";

[Backendless.shared.data.permissions denyForUserWithUserId:@"BC019481-A543-48EB-B821-47508B68B7A1" entity:movie operation:PermissionOperationUPDATE responseHandler:^{
    // handle response
} errorHandler:^(Fault *fault) {
    // handle error
}];
@objcMembers class Movie: NSObject {
    var objectId: String?
}

let movie = Movie()
movie.objectId = "BDB25104-E4B2-4B94-8ED9-437D1F239060"

Backendless.shared.data.permissions.denyForUser(userId: "BC019481-A543-48EB-B821-47508B68B7A1", entity: movie, operation: .UPDATE, responseHandler: {
    // handle response
}, errorHandler: { fault in
    // handle error
})

where:

Argument                Description
userId A user ID, for which you want to revoke a permission.
entity A data object for which you want to revoke the permission.
operation Identifies a specific permission to revoke from a user. Refer to the PermissionOperation enum to see all options.

Codeless Reference

data_permissions_api_5

where:

Argument                Description
GRANT/DENY Specifies whether the permission must be granted or revoked.
FIND/REMOVE/UPDATE Identifies the permission type to revoke from a user.
data object A data object for which you want to revoke the permission.
user id A user ID, for which you want to revoke a permission.
return result When this checkbox is selected, the operation returns an empty string value.
objectId Required property. Represents the unique identifier of the object in the data table.
__class Required property. Represents the name of the data table where the operation takes place.

To deny access for a user role

@interface Movie: NSObject
@property (string, nonatomic) NSString *objectId;
@end

Movie *movie = [Movie new];
movie.objectId = @"BDB25104-E4B2-4B94-8ED9-437D1F239060";

[Backendless.shared.data.permissions denyForRoleWithRole:@"TrialUser" entity:movie operation:PermissionOperationUPDATE responseHandler:^{
    // handle response
} errorHandler:^(Fault *fault) {
    // handle error
}];
@objcMembers class Movie: NSObject {
    var objectId: String?
}

let movie = Movie()
movie.objectId = "BDB25104-E4B2-4B94-8ED9-437D1F239060"

Backendless.shared.data.permissions.denyForRole(role: "TrialUser", entity: movie, operation: .UPDATE, responseHandler: {
    // handle response
}, errorHandler: { fault in
    // handle error
})

where:

Argument                Description
role A role name, for which you want to revoke a permission.
entity A data object for which you want to revoke the permission.
operation Identifies a specific permission to revoke from a role. Refer to the PermissionOperation enum to see all options.

Codeless Reference

data_permissions_api_6

where:

Argument                Description
GRANT/DENY Specifies whether the permission must be granted or revoked.
FIND/REMOVE/UPDATE Identifies the permission type to revoke from a role.
data object A data object for which you want to revoke the permission.
role name A role name, for which you want to revoke a permission.
return result When this checkbox is selected, the operation returns an empty string value.
objectId Required property. Represents the unique identifier of the object in the data table.
__class Required property. Represents the name of the data table where the operation takes place.

To deny access for all users

@interface Movie: NSObject
@property (string, nonatomic) NSString *objectId;
@end

Movie *movie = [Movie new];
movie.objectId = @"BDB25104-E4B2-4B94-8ED9-437D1F239060";

[Backendless.shared.data.permissions denyForAllUsersWithEntity:movie operation:PermissionOperationUPDATE responseHandler:^{
    // handle response
} errorHandler:^(Fault *fault) {
    // handle error
}];
@objcMembers class Movie: NSObject {
    var objectId: String?
}

let movie = Movie()
movie.objectId = "BDB25104-E4B2-4B94-8ED9-437D1F239060"

Backendless.shared.data.permissions.denyForAllUsers(entity: movie, operation: .UPDATE, responseHandler: {
    // handle response
}, errorHandler: { fault in
    // handle error
})

where:

Argument                Description
entity A data object for which you want to revoke the permission.
operation Identifies a specific permission to revoke from all users. Refer to the PermissionOperation enum to see all options.

Codeless Reference

data_permissions_api_7

where:

Argument                Description
GRANT/DENY Specifies whether the permission must be granted or revoked.
FIND/REMOVE/UPDATE Identifies the permission type to revoke from all users.
data object A data object for which you want to revoke the permission.
return result When this checkbox is selected, the operation returns an empty string value.
objectId Required property. Represents the unique identifier of the object in the data table.
__class Required property. Represents the name of the data table where the operation takes place.

To deny access for all user roles

@interface Movie: NSObject
@property (string, nonatomic) NSString *objectId;
@end

Movie *movie = [Movie new];
movie.objectId = @"BDB25104-E4B2-4B94-8ED9-437D1F239060";

[Backendless.shared.data.permissions denyForAllRolesWithEntity:movie operation:PermissionOperationUPDATE responseHandler:^{
    // handle response
} errorHandler:^(Fault *fault) {
    // handle error
}];
@objcMembers class Movie: NSObject {
    var objectId: String?
}


let movie = Movie()
movie.objectId = "BDB25104-E4B2-4B94-8ED9-437D1F239060"

Backendless.shared.data.permissions.denyForAllRoles(entity: movie, operation: .UPDATE, responseHandler: {
    // handle response
}, errorHandler: { fault in
    // handle error
})

where:

Argument                Description
entity A data object for which you want to revoke the permission.
operation Identifies a specific permission to revoke from all roles. Refer to the PermissionOperation enum to see all options.

Codeless Reference

data_permissions_api_8

where:

Argument                Description
GRANT/DENY Specifies whether the permission must be granted or revoked.
FIND/REMOVE/UPDATE Identifies the permission type to revoke from all roles.
data object A data object for which you want to revoke the permission.
return result When this checkbox is selected, the operation returns an empty string value.
objectId Required property. Represents the unique identifier of the object in the data table.
__class Required property. Represents the name of the data table where the operation takes place.