We have seen how to grant access rights to a Room for exchange of messages among users.
Now, we will create Access Rights for different Teams. In the previous post, we created just one Room and provided access to all the members of the Room.
Here, we will create different teams and provide an access right to a specific team while not providing the same to other teams.
Let’s say you have confidential data and you want to restrict its access to the members of a specific team. ImpData
is the data type with the data
field.
mutation {
upsert(values: { ImpData: [{ data: "Confidential" }] }) {
id
}
}
{
"data": {
"upsert": [
{
"id": "01G7VJDYCX8FK5NBERMPSSS731"
}
]
}
}
You have two teams, Team1 and Team2. Team1 is the top executive team which should have access to confidential data. And Team2 is the user team which should not access this data.
Let’s create these two teams. colleagues
field holds hypi.id
of different user Accounts. Check this guide on how to create user accounts.
#Team1
mutation {
upsert(
values: {
Team: [
{
hypi: { id: "Team1" }
colleagues: [
{ hypi: { id: "User1" } }
{ hypi: { id: "User2" } }
]
}
]
}
) {
id
}
}
# Team2
mutation {
upsert(
values: {
Team: [
{
hypi: { id: "Team2" }
colleagues: [
{ hypi: { id: "User4" } }
{ hypi: { id: "User5" } }
{ hypi: { id: "User6" } }
]
}
]
}
) {
id
}
}
Alright! Let’s create Access Right for Team1 to access ImpData.
mutation {
upsert(
values: {
AccessRight: [
{
resource: "01G7VJDYCX8FK5NBERMPSSS731"
resourceType: "ImpData"
operationType: "Query"
operation: "find"
permissionType: RBP
approved: true
membersSourceType: "Team"
membersSourceField: "colleagues"
membersSourceId: "Team1"
}
]
}
) {
id
}
}
# result
{
"data": {
"upsert": [
{
"id": "01G7VNEAZ5VHPMVG6GMZ132BHH"
}
]
}
}
We will cross check the given Access Right.
Log in user4 from Team2 and find the resource with confidential data. The query will return null value. Please note you need to use the session token in the Authorization header generated after login the user. You may check this guide on how to login user accounts.
#query
{
find(type: ImpData, arcql: "*") {
edges {
node {
... on ImpData {
hypi {
id
}
data
}
}
}
}
}
#result
{
"data": {
"find": {
"edges": []
}
}
}
Log in user1 from Team1 and retrieve the confidential data.
#result
{
"data": {
"find": {
"edges": [
{
"node": {
"hypi": {
"id": "01G7VJDYCX8FK5NBERMPSSS731"
},
"data": "Confidential"
}
}
]
}
}
}
User1 from Team1 retrieves data successfully!
This way you can work with multiple teams in one API instance by using Access Rights and achieve data sharing using the power of Hypi’s Authorisation system. The recommended approach to multi-team support is to create one Hypi instance per team. This way, Hypi automatically keeps data for two instances separate and you don’t need to include a team ID in your queries when you want to find data for a specific team