User and Roles-Based Security

Service APIs access control for application's users and roles

One of the core features of Backendless API Engine is the ability to restrict access to the service APIs for the application’s users and security roles. Backendless container runtime where hosted and imported services reside is tightly integrated with the identity management function from the Backendless mBaaS product. You can establish a powerful and secure system of guarding access to the service APIs using intuitive user interface of the Backendless console.

Browse all features or select one to view
Multi-tiered Security Hierarchy

A Backendless backend manages application’s users and may group them into roles which share some common security permissions. Application users and roles can also be referred to as ‘principals’. Services running in API Engine can be viewed as “subjects”. Service methods are naturally the operations which may need to be restricted for the users and/or roles. A combination of a principal, subject and operation results in a triplet which is the core element of our security system. A triplet may be either granted or denied a permission to execute the operation on the subject by the principal.

Application Roles

Application roles is an important concept as it provides a way to group multiple users into a common “security profile”. Security permissions may be assigned (granted or rejected) to roles. As a result, any user who belongs to the role automatically inherits the assigned permissions.

Custom User to Role Assignment

Backendless provides several ways to manage user to roles assignment. This can be done using a graphical management interface in Backendless console or with a specialized “Permission API”. The API is restricted to server-side only and can be used from custom server code deployed in Backendless (services or event handlers).

Asset Permissions

Backendless identifies several “assets” in the backend system. Access to assets is controlled by security. Examples of these assets are data tables, files, messaging channels and deployed services. Each asset type has a set of operations which are the actual APIs executing an asset function. In the context of API Engine, these functions are the service methods.

Access Control Lists

Objects stored in the Backendless Data Service have another layer of security. Each object may have its own level of protection through Access Control Lists (ACL). A data object ACL establishes the rules for application users and roles in relationship to that very object and operations permitted for it.

Method Level Security

Backendless security equally applies to services deployed in API Engine. Security permissions to allow or reject service operation invocation may be assigned to the application users and/or roles. When a service operation is secured for a user, the user must be authenticated in order to execute the service method.