Security Examples

Security Examples
lac42
You can familiarize yourself with security using the security examples that are included with the Sample API.
In this article:
Verify Prerequisite
Before using the following security examples, ensure you understand authentication and authorization.
Complex Permission Predicates
In the following security example, the row filter ensures that guests (authorized for the
Guest
role) do not see orders for secret parts, such as Stealth Bolts. The row filter is a correlated sub query.
You can view an example of permissions in the Sample API.
Follow these steps:
  1. With the Sample API open, in the Manage section, click
    Security
    .
  2. Select the 
    Guest
     role.
  3. Click the 
    Entity Permissions
     tab.
  4. View the row filter in the
    Row Filter
    field:
    "ident" not in (
      select o."ident" from "orders" o
        join "lineitems" l on l."order_ident" = o."ident"
        left join "products" p on p."name" = l."product_name"
      where p."is_secret" = true)
Assign Globals
Each user is assigned the
Normal user
role, which in the Sample API, filters orders based on their amount. The global value that is referenced in the row filter specifies the exact amount for each user.
Best Practice:
Assign a global to user-based rows, as shown in the Demo API Sample.
The following image shows the
Lincoln, A
auth token in the Sample API:
This auth token defines a 
maxAmount
 global value. The
A. Lincoln
 user is assigned to the
Normal user
role. This role specifies the
Access orders
permission for the
orders
table and uses the
maxAmount
global value in the row filter:
Screen Shot 2017-11-14 at 12.25.27 PM.png
Examine Security-Augmented SQL using the REST Lab
Verify the proper operation using logging and the REST Lab.
For more information:
Follow these steps:
  1. With the Sample API open, in the Manage section, click
    Auth Tokens
    .
  2. Select the 
    Lincoln, A
     authentication token.
  3. Click the 
    Logging
    tab.
  4. Change the logging settings
    Administration
    through
    Resources
    to
    Debug
    , which are the typical logging settings, and then save your changes.
  5. In the Execute section, click
    REST Lab
    .
  6. Issue a GET request for the
    orders
    table with the 
    Broad access
    auth token by selecting the
    Table
    endpoint, selecting the
    sample:orders
    table, choosing the
    Lincoln, A
    authentication token, and then clicking
    GET
    .
You have verified the result and see the generated SQL.