Backendless Support
 

If permissions conflict with each other, will GRANT or DENY have higher priority?

When Backendless determines whether an API operation can proceed or not, it works through a permission hierarchy shown below. 

  1. Object-level permissions for the user who makes the call
  2. Object-level permissions for custom (user-defined) roles assigned to the user who makes the call.
  3. Table permissions for the User account
  4. Table permissions for the custom (user-defined) roles
  5. Owner Policy
  6. Object-level permissions for system roles
  7. Table permissions for system-level roles
  8. Global custom (user-defined) roles
  9. Global system roles

The algorithm to determine if an operation should be handled starts at the top of the hierarchy and performs the following checks at each level:

  1. Check if the level in the hierarchy grants access to the current operation. 
  2. If it does, stop the algorithm processing and allow the operation to be handled by backendless.
  3. If it does not, and we are the bottom of the hierarchy, reject the invocation and return a permission error to the client, otherwise move down one level and repeat the algorithm from step 1.
Is article helpful?