Fine-grained role-based access control

You define permissions granularity on the schema, sessions, and data (table, row, and column). For every role you create, Hasura automatically publishes a different GraphQL schema that represents the right queries, fields, and mutations that are available to that role. Every operation will use the request context to further apply permissions rules on the data.

Built-in input validation and constraint validation

When writing data and submitting forms, if you would like the validation logic to be at the GraphQL API layer, Hasura permissions can be used to add your validation. If the validation logic requires complex business logic or needs information from external sources, you can use Hasura Actions to perform your validation.

Built-in input validation and constraint validation

Cross-source authorization

That integrates authorization rules based on data and entitlements in different sources. Hasura forwards the resolved values as headers to your external services, and you can use this information to apply authorization rules in your external service.

Authorization predicate pushdown

Whenever possible, Hasura can automatically push down the authorization check in the data query itself. This provides a significant performance boost and avoids additional lookups where it can be avoided.

More Authorization features at a glance

Row permissions

Row permissions are powerful boolean expressions that help you restrict access to database rows for each database operation and user role.

Column permissions

Column-level permissions determine which columns are accessible in the rows which are accessible.

Aggregation permissions

Aggregation permissions enable access to aggregation queries for a given role on select operations.

Row fetch limit

Row fetch limit caps the number of rows returned in a response on select operations.

Root field visibility

Root field visibility disables specific query and subscription root fields to manage certain role-based access.

Column presets

Column presets are to avoid sensitive user information being sent in a request by removing the ability to manually insert or update operations for that role.

2024 Edition

The GraphQL Handbook

A GraphQL Handbook for developers and architects to help plan your GraphQL adoption journey.
The GraphQL Handbook

Ship a rock-solid API on your data – in minutes!