Request to Extend Permission Assignment Functionality at the Object Owner Level

Hello Backendless Support Team,

I’m currently using your service to build a mobile application, and I’ve found the user role and data object owner permission management features to be very useful. The granular control over data accessibility greatly enhances the security and user experience of my application.

However, I’ve noticed a limitation in the current system. While we can assign various permissions at different levels, from user roles to data object owners, and even to specific user accounts, there seems to be one permission that can be set at the role level but not at the object owner level. Specifically, the permission to grant permissions to other users is not available at the object owner level.

This limitation prevents me from fully utilizing the potential of your permission management system. By extending the ability to grant permissions to the object owner level, we could allow users to dynamically manage access to their own data, adding another layer of flexibility and control.

I kindly ask you to consider addressing this issue in a future update of Backendless. I believe this enhancement would not only benefit my application but also many others that rely on your platform for their permission management needs.

Thank you for your time and consideration. I look forward to hearing your thoughts on this matter.

Best regards,

Hello @Andrzej_Puczyk

Welcome to our community and thank you for trying out Backendless. It is a very good suggestion, I have created an internal ticket to discuss the question.

Hello @sergey.kuk

Thank you for your response and for considering my suggestion. While I’m waiting for the internal discussion, I would like to ask if there is a possible workaround for the scenario I previously described. Specifically, I am looking to implement the following in my application:

  • I have Event object in my app.
  • The owner of an Event object has full permissions to edit and delete all data related to the Event.
  • Owner can invite users to Event object, and invited users can edit some data and have read-only access to the rest.
  • Depending on the Event settings, uninvited users can have read-only access to certain data.

Additionally, I would like to ask if it’s possible to create user roles that are assigned within the scope of an object, rather than across the entire database. This way, the roles could be used to manage permissions for specific instances of an Event, providing a more flexible and context-specific way of handling permissions.

Any insights or workarounds would be greatly appreciated.

Thank you for your continued support.

Unfortunately, there is no embedded way to do that, you should implement some kind of your permissions. To do that you may create some services in Backendless Cloud code, wich will check the permission you need only after that return the data. You can have some JSON columns with a list of permission or allowed/denied roles. But be aware that JSON columns has no index, and if you have a lot of data, queries that use json(like check if value in a list) maybe slow

Thank you for your response and suggestion to implement custom permissions using Backendless Cloud code. I understand the constraints and will consider this option.

However, I have another question related to the permissions management: Is it possible to assign permissions to a group of objects (in this case, an Event object and the objects related to it) in a single API call for multiple users at the same time? This feature would be particularly useful in my scenario, where upon creating an Event object, I could revoke permissions en masse from all users and grant them to a selected group. Similarly, when a new person is added to the Event, I could immediately grant them permissions to both the Event object and the objects related to it with a single command.

I would appreciate your insight on this matter.

Hi @Andrzej_Puczyk

I believe Sergey’s suggestion of creating a JSON column with a list of permissions and some kind of service that can allow or deny them might be helpful in your scenario.

Regards,
Marina