Authorization / Access control
Hasura supports role-based authorization where access control is
done by creating rules for each role, table and operation (insert,
update, etc.). These access control rules use dynamic session
variables that are passed to the GraphQL engine from your
authentication service with every request. Role
information is inferred from the
X-Hasura-Allowed-Roles session variables. Other session variables can
be passed by your auth service as per your requirements.
Hasura roles and permissions are implemented at the Hasura layer. They have nothing to do with Postgres roles and users.
Trying out access control
If you just want to see role-based access control in action, you need not set up or integrate your auth service with GraphQL engine. You can just:
- Define permission rules for a table for a role.
- Use the GraphiQL interface in the console to make a request and send
the session variables as request headers (send a
X-Hasura-Rolekey, with its value as the name of the role you've defined rules for). The data in the response will be restricted as per your configuration.
Follow the example at access control basics.
- Access control basics
- Roles & Session variables
- Inherited roles
- Configuring permission rules
- Access control examples
- Multiple column + row permissions for the same role
API limits and access controls in Hasura Cloud
Additional access controls and API limits like maximum query depth can be found in Hasura Cloud. See more at API limits with Hasura Cloud.
Enterprise Grade Authorization - Watch Webinar.