Correct, I can assign the role to the user but unable to restrict the user to only the tables created by them. Ideally this should happen automatically during table creation process by the user.
Do you have table creation and role assignment encapsulated in a custom API service deployed to Backendless?
No, direct call from external system.
I would change that. Have one API call that is black-boxed from the outside. The API service would handle the logic for creating a table, creating the security role, and assigning the permissions for the role and the table.
That’s fine. All logic can be inside BL. How about the permissions issue?
I would design the system as described below:
-
Prohibit access to the database from the outside. The only “party” that can be trusted would be Cloud Code, because it is indeed the only trusted environment. This can be accomplished by denying access to the database for the
NonAuthenticatedUserandAuthenticatedUserroles. The only roles that can have access to the database areServerCodeUserand any custom roles you create. -
In your API service perform the following actions (this assumes that a new role is created for every user):
- Create a custom role. This will require the usage of the Console/Admin API
- Create a table for the user
- Assign the role to the user
- Assign permissions between the role and the table
-
Create a separate API service responsible for data retrieval. In that service, perform the following actions:
- Check if the user making the request has a corresponding role.
- Check if the role assigned to the user has permission to retrieve data from the table.
- If 1 and 2 pass, fetch data from the table and return it back to the client.
Hope this helps.
Mark