Backendless Support
 

Managing object's ACL using API

Backendless offers two ways to adjust object's access control list (ACL): either using Backendless console (review the topic "Adjustment object's access control list (ACL) using Backendless console) or using API. 

This topic is dedicated to API adjustment ACL.

In fact, for any persisted object, Backendless supports the following capabilities:

granting/rejecting permission to execute find/save/update/delete operation on an object to:

  • a user
  • a role
  • all users
  • all roles
The general API usage pattern is:
DataPermission.<OPERATON>.grantForUser( userObjectId, dataObject )
DataPermission.<OPERATON>.denyForAllRoles( dataObject )

In this pattern <OPERATION> can be FIND ,UPDATE , REMOVE. 

There are many more methods available on the <OPERATION> class supporting all the combinations listed above.

The sample below grants a permission to a user to execute FIND operations. Additionally, it denies all roles to run searches. As a result, the ability to run a search for the specific object will be exclusive for the specified user.

Asynchronous API sample (Android and Plain Java):
final AsyncCallback<Incident> grantForUserResponder = new AsyncCallback<Incident>()
{
 @Override
 public void handleResponse( Incident aVoid )
 {
 System.out.println( "Permission has been granted to user" );
 }
 @Override
 public void handleFault( BackendlessFault backendlessFault )
 {
 System.out.println( "Server reported an error - " + backendlessFault.getMessage() );
 }
};
final AsyncCallback<Incident> denyForAllRolesResponder = new AsyncCallback<Incident>()
{
 @Override
 public void handleResponse( Incident aVoid )
 {
 System.out.println( "Permission has been denied for all roles" );
 }
 @Override
 public void handleFault( BackendlessFault backendlessFault )
 {
 System.out.println( "Server reported an error - " + backendlessFault.getMessage() );
 }
};
BackendlessDataQuery query = new BackendlessDataQuery();
query.setWhereClause( "email = 'spidey@backendless.com'" );
Backendless.Data.of( BackendlessUser.class ).find( query, new AsyncCallback<BackendlessCollection<BackendlessUser>>()
{
 @Override
 public void handleResponse( BackendlessCollection<BackendlessUser> users )
 {
 final BackendlessUser user = users.getCurrentPage().get( 0 );
 Backendless.Data.of( Incident.class ).findFirst( new AsyncCallback<Incident>()
 {
 @Override
 public void handleResponse( Incident incident )
 {
 DataPermission.FIND.grantForUser( user.getObjectId(), incident, grantForUserResponder );
 DataPermission.FIND.denyForAllRoles( incident, denyForAllRolesResponder );
 }
 @Override
 public void handleFault( BackendlessFault backendlessFault )
 {
 System.out.println( "Server reported an error - " + backendlessFault.getMessage() );
 }
 } );
 }
 @Override
 public void handleFault( BackendlessFault backendlessFault )
 {
 System.out.println( "Server reported an error - " + backendlessFault.getMessage() );
 }
} );
Synchronous API sample (Plain Java only):
Incident incident = Backendless.Data.of( Incident.class ).findFirst();
BackendlessCollection<BackendlessUser> users;
BackendlessDataQuery query = new BackendlessDataQuery();
query.setWhereClause( "email = 'spidey@backendless.com'" );
users = Backendless.Data.of( BackendlessUser.class ).find( query );
BackendlessUser user = users.getCurrentPage().get( 0 );
DataPermission.FIND.grantForUser( user.getObjectId(), incident );
DataPermission.FIND.denyForAllRoles( incident );

Once the code runs, the ACL permission matrix for the object will look as shown on the image below.

User permissions: 

Role permissions: 

Is article helpful?