Issue with data permissions

I’ve read this documentation: https://backendless.com/documentation/data/rest/data_security.htm And unforunately I’m having an issue. From what I understand from that page if Owner Permissions for an object are set they should be used instead of User Permissions and Role Permissions. I’m currently trying to remove an object while logged in as an owner and It’s not allowing me to do so.

Maybe I misunderstood the documentation any clarification is appreciated :slight_smile:

Hi Benjamin

The documentation, you mentioned, says, that the system, goes through several security layers, where each can trim the scope of the operations.

The layered order of the decision making is important and consists of the following:

  1. ObjectACL for the user who makes the call
  2. ObjectACL for user-defined roles assigned to the user who makes the call.
  3. Table permissions for the User account
  4. Table permissions for the user-defined roles
  5. Owner Policy
  6. ObjectACL for system roles
  7. Table permissions for system-level roles
  8. Global user-defined roles
  9. Global system roles

If you have granted an owner to remove his owning objects and system doesn’t allow him to do this,
that means that the one of four previous layers denie this operation

What would be the best way to achieve what I’m trying to do then? The main reason I was a bit confused is that the documentation also shows that when an owner permission is allowed it will bypass the checks afterwards. Would I need to allow my custom role to delete objects and if I did this wouldn’t that allow any user to delete and of the objects and not just the owner?

Vitaly, I’m not from this particular thread, but I have question about your sentence “that means that the one of four previous layers denie this operation”
I’ve read official docs and also this FAQ
http://support.backendless.com/knowledge-base/article/if-permissions-conflict-with-each-other-will-grant-or-deny-have-higher-priority
and it said:

The algorithm to determine if an operation should be handled starts at the top of the hierarchy and performs the following checks at each level:

  • Check if the level in the hierarchy grants access to the current operation.
  • If it does, stop the algorithm processing and allow the operation to be handled by backendless.
  • If it does not, and we are the bottom of the hierarchy, reject the invocation and return a permission error to the client, otherwise move down one level and repeat the algorithm from step 1

so, maybe I’m wrong, but I see there contradiction with your words, please shed some more light about this