A Backendless backend manages the application’s users and may group them into roles which share some common security permissions. Application users and roles can also be referred to as “principals”. Services running in API Engine can be viewed as “subjects”. Service methods are naturally the operations which may need to be restricted for the users and/or roles. A combination of a principal, subject and operation results in a triplet which is the core element of our security system. A triplet may be either granted or denied a permission to execute the operation on the subject by the principal.
One of the core features of Backendless API Engine is the ability to restrict access to the service APIs for the application’s users and security roles. Backendless container runtime, where hosted and imported services reside, is tightly integrated with the identity management function from the Backendless mBaaS product. You can establish a powerful and secure system for guarding access to the service APIs using the intuitive user interface of the Backendless console.