Edit on GitHubThis course is no longer maintained and may be out-of-date. While it remains available for reference, its content may not reflect the latest updates, best practices, or supported features.
Queries with access control
Hasura has a robust permissions system that allows for granular authorization. We'll use this system to define permissions on the data we just imported. As our application is meant to be a helpful tool for HR managers, it would make sense for a user to only see information relevant to them.
We can do this easily by defining SELECT permission on our hiring_manager relationship. Head to the Data tab and
click on the Resumes table of the Resumes database. Then, click the Permissions tab, create a role named manager
and choose SELECT as shown in the screenshot below. You can copy and paste this rule into the first line of the
editor, or configure it using the dropdown GUI, which is available after clicking the With custom check radio button.
{"application_relationship":{"hiring_manager":{"_eq":"x-hasura-manager-id"}}}
Then, expand the Column select permissions and toggle all. Then, click Save Permissions.
Adding this rule does the magic! If we head back to the API tab of the Console and run a query with the
x-hasura-manager-id and x-hasura-role headers added, we'll now only see the applications belonging to the manager's
id in x-hasura-manager-id 🎉
Build apps and APIs 10x faster- Built-in authorization and caching
- 8x more performant than hand-rolled APIs
