Question about Backendless Access Controls for Data Service

In the hopes this is succinct, can the following be accomplished with Backendless default User and/or Role Permissions, or how would we need to change them?

We find that REST API queries to a Data Service table that include a user-token header item for an Authenticated User return all records that match the “where” clause, even those not owned by the user associated with the user-token at login. The query has the form:

curl -i -k
-H “application-id:”
-H “secret-key:<REST Secret Key>”
-H “application-type:REST”
-H “user-token:<user-token>”
-X GET “<table>?where=status%3D1&pageSize=10&offset=0”

If it is straightforward to do so, we’d like “regular” users to only receive objects owned by them in response to REST API queries that include their user-token in the header. We’d like the default behavior described above to only apply for a group of “administrative” users when a user-token for one of them is supplied in the REST API query.

Is this possible and, if so, is it a matter of either:

  1. Including something else in the REST API query (e.g. “where” clause) itself?
  2. Adjusting the permissions of the Authorized User role?
  3. Creating new roles for “regular” and/or “administrative” users?
  4. Or ???


Hi Rick,

This is an excellent question. I really would recommend you watching a recording of a webinar I did on the subject of Backendless Security. I reviewed this very use-case in there and walked the viewers through the process of establishing the “owner policy”. You can see at (