When Backendless determines whether an API operation can proceed or not, it works through a permission hierarchy shown below.
- Object-level permissions for the user who makes the call
- Object-level permissions for custom (user-defined) roles assigned to the user who makes the call.
- Table permissions for the User account
- Table permissions for the custom (user-defined) roles
- Owner Policy
- Object-level permissions for system roles
- Table permissions for system-level roles
- Global custom (user-defined) roles
- Global system roles
The algorithm to determine if an operation should be handled starts at the top of the hierarchy and performs the following checks at each level:
- Check if the level in the hierarchy grants access to the current operation.
- If it does, stop the algorithm processing and allow the operation to be handled by backendless.
- If it does not, and we are the bottom of the hierarchy, reject the invocation and return a permission error to the client, otherwise move down one level and repeat the algorithm from step 1.