Blog

How to define user roles – an essential block to securing your app data

by on January 26, 2015

In a Backendless backend, you can restrict access to API operations and/or application data. A restriction may apply either to specific users or to roles. When a restriction applies to a role, it automatically applies to the users in that role. For example, suppose you have two roles in a job-searching application – employer and job-candidate. Each role will have a certain set of permissions; for instance, an employer can see all the candidates who applied for a job.

Backendless supports two types of roles – system-defined and developer-defined roles. System roles automatically come with the backend; Backendless assigns them based on how the user logs in or accesses the app. For example, the AuthenticatedUser role is assigned to any users who successfully log in.

The greatest flexibility in tuning security for an app comes in the form of developer-defined roles. A custom role can be assigned to users based on the business rules of your app and have a completely unique set of permissions. These permissions may restrict API operations and limit access to app data – data objects, files, geopoints and media streams. To create a developer-defined role:

  1. Login to Backendless Console, select your app and click the Users icon.
  2. Click the Security and Restrictions menu.
  3. Click the Add Role button In the Application Roles section.
  4. Enter the role name and click the Save button.

Once the role is created, you can click the role name to see the global permission matrix (which is a feature on its own and will be discussed separately):

Enjoy!