Permissions Protect Data
Introduction
Permissions allow you to control who can access your data and what they can do with it. You can define permissions to restrict access to certain models, the fields they contain, and the operations that can be performed on them.
Lifecycle
If you haven't already, have a run through our Quickstart guide to set up your Hasura DDN instance. In the sections below, we'll guide you through how to interact with your metadata and shape your API to your liking!
Creating permissions
Creating a ModelPermission
To implement row-level security, you can create a permission for a model.
---
# e.g., users.hml
kind: ModelPermissions
version: v1
definition:
modelName: Users
permissions:
# admin is present by default
- role: admin
select:
filter: null
- role: user
select:
filter:
fieldComparison:
field: id
operator: _eq
value:
sessionVariable: x-hasura-user-id
The highlighted role above will filter responses from the Users
field in your API to only those whose id
matches the
x-hasura-user-id
passed in the header of the request.
Creating a TypePermission
To restrict which fields can be queried, you can create a permission for a type.
# e.g., users.hml
---
kind: TypePermissions
version: v1
definition:
typeName: user
permissions:
# admin is present by default
- role: admin
output:
allowedFields:
- id
- name
- role: user
output:
allowedFields:
- name
Creating a CommandPermission
To determine which operations can be performed by which roles, you can create a permission for a command.
# e.g., UpdateUsersById.hml
---
kind: CommandPermissions
version: v1
definition:
commandName: UpdateUsersById
permissions:
- role: admin
allowExecution: true
- role: user
allowExecution: true
argumentPresets:
- argument: keyId
value:
sessionVariable: "x-hasura-user-id"
Deleting permissions
If you no longer need a permission, you can remove the role from the relevant permissions array in any permission object.
Reference
You can learn more about permissions in the metadata reference docs.