How to create Resource Based Permissions

In this post, we will see how to create Resource Based Permissions so that member users of an application can retrieve data stored inside an object.

Let’s say we are developing a Library App. In this App, we are storing Book information inside a Book data type. Each Book object created using an upsert mutation would store the book information of one book. A hypi.id would be assigned to each book.

mutation {
  upsert(
    values: {
      Book: [
        { title: "ABC", price: 10.99 }
        { title: "XYZ", price: 11.99 }
        { title: "PQR", price: 13.99 }
        { title: "DEF", price: 6.99 }
      ]
    }
  ) {
    id
  }
}
#result
{
  "data": {
    "upsert": [
      {
        "id": "01G1THPHQ70SYT6W0J8YWE2BPE"
      },
      {
        "id": "01G1THPHQ755XPDHF6HGV02KWY"
      },
      {
        "id": "01G1THPHQ7XW8QT5MT68NB9636"
      },
      {
        "id": "01G1THPHQ7QWMVFMZAD4DQZGCF"
      }
    ]
  }
}

A Resource is any object created on the Hypi platform. So, Book objects are the resources in this App. And we need to grant Resource Based Permissions to App users to retrieve the book information.

Suppose a user signs up to use the Library App. So, we should create an account for that User by using the createAccount function.

mutation {
 createAccount(
     value: {
         username: "User1"
         password: { value: "User1" }
         emails: [{ value: "User1@gmail.com" }]
     }
     ) {
         id
         created
         createdBy
     }
}
# result
{
  "data": {
    "createAccount": {
      "id": "01G1THAFFN94N1MJJZJKJ2VTDR",
      "created": "2022-04-29T11:29:28Z",
      "createdBy": "01G1THAFFN94N1MJJZJKJ2VTDR"
    }
  }
}

We can create n number of User Accounts like this.

Now, in a Library, member users have permission to retrieve or search details of a Book. So, they can Query to get or find information about a certain book. We should give permission to execute get or find operations (with the Query operationType).

However, we should not allow users to update the information of a Book. So, Mutation permissions like upsert,delete should not be granted. In this app, only admin should have Mutation permissions.

Let’s create the required AccessRights.

mutation {
  upsert(
    values: {
      AccessRight: [
        {
          resource: "*"
          resourceType: "Book"
          operationType: "Query"
          operation: "get"
          permissionType: RBP
          approved: true
          members: { hypi: { id: "*" } }
        },
        {
          resource: "*"
          resourceType: "Book"
          operationType: "Query"
          operation: "find"
          permissionType: RBP
          approved: true
          members: { hypi: { id: "*" } }
        }
      ]
    }
  ) {
    id
  }
}
#result
{
  "data": {
    "upsert": [
      {
        "id": "01G1THZ3HGS0DV1GC8CC8EFY2C"
      },
      {
        "id": "01G1THZ3HHKSCF7EXFWDGWDB00"
      }
    ]
  }
}

Here, use * as a value for the resource field. This means that users can retrieve details of all the Books.

Again, use * to provide access to all members. So we have used { hypi: { id: “*” } } in the members field. This means all member users can retrieve Book details.

Our Library App is ready to use!

Let’s say User1 logs into the App.

{
    login(
        username: "User1", 
        password: "User1@gmail.com"
    ) {
        sessionToken
        sessionExpires
        errorCode
        errorMsg
    }
}

This would generate sessionToken for him. Remember to assign same sessionToken or API token in the Authorisation header.

When you use the APIs, you need to set the value of Authorization header.

{
  "Authorization": "API-Token",
  "hypi-domain": "observer.apps.hypi.app"
}

Now, User1 wants to get information about all the Books. So, he can query using the find function.

{
  find(type: Book, arcql: "*") {
    edges {
      cursor
      node {
        ... on Book {
          hypi {
            id
          }
          title
          price
        }
      }
    }
  }
}

Suppose he wants to get information for only one book. He can use the get function.

{
  get(type: Book, id: "01G1THPHQ70SYT6W0J8YWE2BPE") {
    ... on Book {
      hypi {
        id
      }
      title
      price
    }
  }
}

If AccessRights are not created, member users will not be able to retrieve the data.

This is a simple demonstration of how to use Resource Based Permissions to create Access Rights. In the next post, we will see how to create Scope Based Permissions.

1 Like