How to Secure Access to a Data Table for a Security Role

In another post, we described how to restrict access to all data for “guest” users. The Backendless security model lets you control access to data tables, or more generally “asset containers”, at the role and operation levels. That means an application developer can set up security restrictions for API operations on a specific data table for a security role.

For example, a job/resume search application may have two application roles: Employer and JobSeeker. Suppose there is a table called JobListing which contains job listing objects submitted by the users in the Employer role. Actions permitted on the table for the JobSeeker role may look like these:

A JobSeeker cannot:

• Write to the JobListing table,
• Update the JobListing table,
• Delete from the JobListing table.

To set up these restrictions in Backendless Console:

1. Create developer-defined permissions – JobSeeker and Employer.
2. Click the Data icon and create/select the JobListing table.
3. Click the Table Schema and Permissions button located in the top right corner.
4. Click the Roles Permissions menu item.
5. Make the selections as shown in the image below by clicking the icons in the cells:
   

Notice that the NotAuthenticatedUser is also not allowed to execute any of API operations. As a result of the setup above, any user in the JobSeeker role will not be able to write to, or delete from, the JobListing table.

Enjoy!