Authorization / Access control


Hasura supports role-based authorization where access control is done by creating rules for each role, table and operation (insert, update, etc.). These access control rules use dynamic session variables that are passed to the GraphQL engine from your authentication service with every request. Role information is inferred from the X-Hasura-Role and X-Hasura-Allowed-Roles session variables. Other session variables can be passed by your auth service as per your requirements.

For example:

Create a permission rule


Hasura roles and permissions are implemented at the Hasura layer. They have nothing to do with Postgres roles and users.

Trying out access control

If you just want to see role-based access control in action, you need not set up or integrate your auth service with GraphQL engine. You can just:

  • Define permission rules for a table for a role.
  • Use the GraphiQL interface in the console to make a request and send the session variables as request headers (send a X-Hasura-Role key, with its value as the name of the role you’ve defined rules for). The data in the response will be restricted as per your configuration.

Follow the example at access control basics.