Why can't a user read a record when when their role is denied but their user is allowed?

I am trying to figure how how I can create a record that no one but the specific user can read. It would be appear that all records are readable by everyone by default. So I tried calling denyAllRoles followed by grantForUser(currentUserId) and I see that all roles are denied with an X in control panel, but the current user has a checkbox under find. Yet when I execute the find command the user is not seeing the record. I also tried setting the owner policy under Find to true, with no luck. What is the correct way to do this?

Just found this: https://backendless.com/feature-88-managing-objects-acl-using-api/. Makes it seem like what I’m doing should work… Have I found a bug?

Hi Brandon,

Please let me know your app id, I’d like to take a look at the permissions settings. Also, what table is it for?


I am using self hosted. Here is how my permissions look:


Is the user logged in when you execute a find operation? Are you making a REST request or using an SDK?

They are logged in, it is through the android sdk.

Here is my IDE variable output, as you can see it switches from 8 records to 7 after changing the permissions:


I was able to reproduce this behavior. What’s interesting is if I were to load the object which has its own ACL setup by objectId, I can get it just fine. However, a more broad find request does not return it. This needs to be investigated further by a developer. I will create an internal ticket and assign it to someone in the dev team.


Thank you. Do you have any ETA on this? This is a rather large issue…

It was added to the regular queue. There is quite a backlog of issues. It may take a week or two.


How will this fix be able to make it’s way to our hosted server? Any details you can provide would be very helpful, we need to analyze switching to another platform since this is very critical.

Here’s a workaround that was suggested internally:

Deny access for the role(s) the users belong to for the entire table. Then grant permissions for the specific objects for specific users. That way, the users who have permissions for the objects in question will be able to load them.