In another post, we described how to restrict access to all data for “guest” users. The Backendless security model lets you control access to data tables, or more generally “asset containers”, at the role and operation levels. That means an application developer can set up security restrictions for API operations on a specific data table for a security role.
For example, a job/resume search application may have two application roles: Employer and JobSeeker. Suppose there is a table called JobListing which contains job listing objects submitted by the users in the Employer role. Actions permitted on the table for the JobSeeker role may look like these:
A JobSeeker cannot:
To set up these restrictions in Backendless Console:
Notice that the NotAuthenticatedUser is also not allowed to execute any of API operations. As a result of the setup above, any user in the JobSeeker role will not be able to write to, or delete from, the JobListing table.