Blog

How to manage a data object’s ACL using API

by on April 6, 2015

In another post, we described how to adjust an object’s access control list (ACL) using Backendless Console. As we mentioned, in addition to Backendless Console, the object’s permissions can be controlled using API. In fact, for any persistent object, Backendless supports the following capabilities:

Granting/rejecting permission to execute a find/save/update/delete operation on an object based on:

  • the specific user,
  • the specific user’s role,
  • all users,
  • all roles.

The general API usage pattern is:

DataPermission.<OPERATON>.grantForUser( userObjectId, dataObject )
DataPermission.<OPERATON>.denyForAllRoles( dataObject )

Where <OPERATION> can be FIND, UPDATE, or REMOVE. There are many more methods available for the <OPERATION> class supporting all the combinations listed above.


The sample below grants permission to a user to execute FIND operations; additionally, it denies all roles to run searches. As a result, the ability to run a search for the specific object will be exclusive for the specified user.

Asynchronous API sample (Android and Plain Java):

final AsyncCallback<Incident> grantForUserResponder = new AsyncCallback<Incident>()
{
    @Override
    public void handleResponse( Incident aVoid )
    {
       System.out.println( "Permission has been granted to user" );
    }
    @Override
    public void handleFault( BackendlessFault backendlessFault )
    {
        System.out.println( "Server reported an error - " + backendlessFault.getMessage() );
    }
};
final AsyncCallback<Incident> denyForAllRolesResponder = new AsyncCallback<Incident>()
{
    @Override
    public void handleResponse( Incident aVoid )
    {
       System.out.println( "Permission has been denied for all roles" );
    }
    @Override
    public void handleFault( BackendlessFault backendlessFault )
    {
        System.out.println( "Server reported an error - " + backendlessFault.getMessage() );
    }
};
BackendlessDataQuery query = new BackendlessDataQuery();
query.setWhereClause( "email = 'spidey@backendless.com'" );
Backendless.Data.of( BackendlessUser.class ).find( query, new AsyncCallback<BackendlessCollection<BackendlessUser>>()
{
    @Override
    public void handleResponse( BackendlessCollection<BackendlessUser> users )
    {
        final BackendlessUser user = users.getCurrentPage().get( 0 );
        Backendless.Data.of( Incident.class ).findFirst( new AsyncCallback<Incident>()
        {
            @Override
            public void handleResponse( Incident incident )
            {
                DataPermission.FIND.grantForUser( user.getObjectId(), incident, grantForUserResponder );
                DataPermission.FIND.denyForAllRoles( incident, denyForAllRolesResponder );
            }
            @Override
            public void handleFault( BackendlessFault backendlessFault )
            {
                System.out.println( "Server reported an error - " + backendlessFault.getMessage() );
            }
        } );
    }
    @Override
    public void handleFault( BackendlessFault backendlessFault )
    {
        System.out.println( "Server reported an error - " + backendlessFault.getMessage() );
    }
} );

Synchronous API sample (Plain Java only):

Incident incident = Backendless.Data.of( Incident.class ).findFirst();
BackendlessCollection<BackendlessUser> users;
BackendlessDataQuery query = new BackendlessDataQuery();
query.setWhereClause( "email = 'spidey@backendless.com'" );
users = Backendless.Data.of( BackendlessUser.class ).find( query );
BackendlessUser user = users.getCurrentPage().get( 0 );
DataPermission.FIND.grantForUser( user.getObjectId(), incident );
DataPermission.FIND.denyForAllRoles( incident );

Once the code runs, the ACL permission matrix for the object will look as shown below:

User permissions:

Role permissions: