How to provide Access Rights to different users

Low-code
,
#1

In the previous posts, we have seen Resource Based Permissions and Scope Based Permissions.

Now we will check different scenarios to provide appropriate permissions.

Scenario 1:

User1 creates a resource and wants to provide access to User2 to read the data within the resource.

Let’s say User1 sends a text message to User2.
Here, Message is a data type and User1 creates a Message object. He wants to give permission to User2 to read the message text. Other users won’t be able to read the Message.

type Message {
  text: String
}

Here are the steps to create access right.

  1. User1 logs into an instance.
{
    login(
        username: "User1", 
        password: "User1"
    ) {
        sessionToken
        sessionExpires
        errorCode
        errorMsg
    }
}
  1. He creates a Message object.
mutation {
  upsert(values: { Message: [{ text: "Hi!" }] }) {
    id
  }
}
#result
{
  "data": {
    "upsert": [
      {
        "id": "01G29XT20KV82KACE8T6HE3DHN"
      }
    ]
  }
}
  1. System admin creates an Access Right for User2 to query the Message object created by User1.

Here, User1 cannot provide necessary access rights. Only System admin can do that. System Admin needs to set resource owner id while creating the Access Right. The Resource Owner is the one who created the resource.

(Note: Open another Console to create Access Right. Default login will be that of system admin)

mutation {
  upsert(
    values: {
      AccessRight: [
        {
          resource: "01G29XT20KV82KACE8T6HE3DHN"
          resourceType: "Message"
          operationType: "Query"
          operation: "*"
          resourceOwnerId: "01G1TH09DPVGFPP8W5ZYC1AC81"
          permissionType: RBP
          approved: true
          members: { hypi: { id: "01G1TH9D0PY4GG7RJDMDTXAG5F" } }
        }
      ]
    }
  ) {
    id
  }
}

Here, User1 is the resource owner who created the Message object. hypi.id of the User1 Account should be set as the resource owner id.

members field indicates to whom the access right needs to be given. Here we have provided hypi.id of the User2 Account.

  1. User2 logs in and executes the query to read the Message text. (Remember to use session token generated as the Authorization token to execute the query)
{
  find(type: Message, arcql: "*") {
    edges {
      node {
        ... on Message {
          text
        }
      }
      cursor
    }
  }
}
#result
{
  "data": {
    "find": {
      "edges": [
        {
          "node": {
            "text": "Hi"
          },
          "cursor": "01G22F0B5GNVY1YJ7D4RYT87SF"
        }
      ]
    }
  }
}

We will see a second scenario in the next post.

How to provide access rights to different users (Part 2)
How to grant access rights to a Room for exchange of Messages among Users