Hi @sergey.kuk ,
Sorry, simultaneously with your reply, I cross-posted in Security of owned objects - #3 by Nicolas_REMY.
-
Thanks for the reply. Does your reply mean that the fix is in the works but taking time, or does that mean that we should not expect it ?
-
Could you advise as to the best role / owner policy setup in order to restrict access to a minimum ?
→ Indeed, for example when the relation’s target is a user, then at present I need to allow a specific role to access all users instead of those specifically owned by the parent record’s owner.
→ Thus, I am worried that users with that role will be able to access all users instead of a few. Am I wrong ?
→ If so, the same goes for any other type of data. It’s just that user info is so particularly sensitive that it made for a good example.
- If I may, it would perhaps be useful to specify in the documentation Security - Backendless REST API Documentation that relations are an exception to point 4. I understood it followed the rule and spent hours trying to make out what was wrong.