Give retrieve permissions to only the related users to an object

General
1

Hi,

I am facing few issues while giving permissions to users for different objects, please help how to go about implementing this in Backendless permission management:

Usecase - I want to give retrieve and edit permission to two users connected to an object in a table. First user is the owner of the object and second user is related to this object. With this I want to have following three permissions setup for these two users:

  1. The permissions should be given to only these two users and not other users.
  2. Owner of the object will have edit access to all properties but 1.
  3. Related user should have view access to one set of properties and edit access for other set of properties.

Let me know if this can be done in backendless.

Regards,
Vishal

2

Hello @Vishal_Lodhi

Your data schema is not completely clear to me.
The second user (not the owner) has a relation to that object or that object has a relation to the second user?

Regards

3

the table with the object has a column that contains the relationship with the second user here.

4

@viktor.liablin could you suggest any way forward on this, or let me know if this can’t be done on Backendless?

5

I am stuck on this, any suggestions please

6

Hi @Vishal_Lodhi

Apologies for the delay in response. I am trying to investigate your question.
At the moment, I don’t have a definitive answer on whether it’s possible to implement what you want.
It should be possible to do so by following our documentation at Security - Backendless REST API Documentation.

Regards,
Viktor

7

@Viktor_Mudrevsky thanks for replying. I tried but couldn’t find the answers through this documentation. I will wait for your investigation to see how to go about solving this.

8

hello @Vishal_Lodhi

  1. The permissions should be given to only these two users and not other users.

we have the API that you can use to change the permission, for roles and users on the particular table. Or you can change the permission for the user on a particular object(record). The following documentation describes API for JAVA Permissions API - Backendless SDK for Android/Java API Documentation

We have no description for REST but you can use the following routes:

Permission for table

PUT            /:appId/:apiKey/data/:tableName/permissions/:permissionType

Body:

{ 
   "permission": <permission>,
   "user":<objectId>
         or
   "role":<role-name>
}

In URL
:tableName is you table name
:permissionType can be GRANT or DENY
In body
<permission> one of the following operations:

  ADD,
  UPDATE,
  FIND,
  REMOVE,
  DESCRIBE,
  PERMISSION,
  LOAD_RELATIONS,
  ADD_RELATION,
  DELETE_RELATION,
  UPSERT

Instead of particular operation there can be * which applies permission for all operations

The body should contain user(object id) or role(role name) property. If both present role will be ignored.

Object Acl

Object Acl for several users

PUT            /:appId/:apiKey/data/:tableName/permissions/:objectId/bulk

Body:

[
    {
        permission:<permission>,
        permissionType: <GRANT|DENY>
        userId:<object id of the user>
     }
...
]

In URL
:tableName is you table name
:objectId is the object for which you will change the permission
In body:
<permission> the same value as for previous

Object Acl for one user

PUT            /:appId/:apiKey/data/:tableName/permissions/:permissionType/:objectId

Body:

{ 
   "permission": <permission>,
   "user":<objectId>
}
  1. Owner of the object will have edit access to all properties but 1

Owner policy can be applied only for all table. And there is no option to apply it for object or for column

  1. Related user should have view access to one set of properties and edit access for other set of properties.

As I sed before it is not possible to change visibility for some columns for particular object. Also, you can not deny access to related columns. But if you have no access to the record of the parent column you will not get access to related records