I enabled all permissions on global level for ServerCodeUser and disabled for others.
I thought this means that, when BL event processed, script can access all data, since the backendless rules I read are:
The algorithm to determine if an operation should be handled starts at the top of the hierarchy and performs the following checks at each level:
Check if the level in the hierarchy grants access to the current operation.
If it does, stop the algorithm processing and allow the operation to be handled by backendless.
and enabled rules for ServerCodeUser are on the very bottom of the levels.
But the find query in my BL event returned empty data until I also enabled Find permission for ServerCodeUser for this table. (empty result is also weird, cause if permission wasn’t enabled it should give error).
Maybe it’s also somewhat related with my previous report on servercodeuser in BL http://support.backendless.com/t/why-servercodeuser-permission-have-no-effect-in-bl ?
your previous ticket was fixed. Here it is how object ACL works
Data Service supports a very flexible security mechanism for restricting access to objects stored in Backendless. Security permissions apply to users and roles. A permission can either grant or reject an operation for a particular asset. In the context of Data Service, the asset is an object which your app can retrieve, update or delete. Permissions can be granted or rejected globally, where they apply to all tables and all objects in the data store. Additionally, every table may have its own permission matrix and owner policy – a special instruction whether object owners can or cannot retrieve/update/delete the objects they ‘own’. Finally, every object has its own Access Control List (ACL) which is a matrix of permissions for the operations applicable specifically to the object: http://backendless.com/documentation/data/rest/backendless-security-components.png</img>
The security system is multi-layered. For an API call to retrieve, update or delete object(s), the system goes through several where each can trim the scope of the operations. The layered order of the decision making is important and consists of the following:
ObjectACL for user and roles. if user or role permission is granted than object will be in accessed list. If there is no restriction than check next layer.
Table permissions for the User account
Table permissions for the user-defined roles
Owner Policy
Table permissions for system-level roles
Global user-defined roles
Global system roles
Where:
• “User-defined roles” – roles created by the application developer
• “System roles” – roles built into Backendless (Authenticated User, NonAuthenticated User, SocialUser, etc)
Not sure what the purpose of your quote is, of course I read that page and my quote was from almost same place (I think from some forum answer or from blog post discussing ACL).
My question in this topic was and is - I enabled access for ServerCodeUser on level “global system roles”, yet query in BL didn’t worked until I also enabled access on table level
This information describes how does it work on backendless. So my purpose is to help you.
So according to this information behavior of server is correct. Because you grant global access to ServerCodeUser and deny for NotAuthenticatedUser. Both are system roles. So if one of them deny than you will not have access and will get empty array.