You can familiarize yourself with security using the security examples that are included with the Sample API.
In this article:
Before using the following security examples, ensure you understand authentication and authorization.
For more information, see Authorization and Role-Based Endpoint Access.
Complex Permission Predicates
In the following security example, the row filter ensures that guests (authorized for the
Guestrole) do not see orders for secret parts, such as Stealth Bolts. The row filter is a correlated sub query.
You can view an example of permissions in the Sample API.
Follow these steps:
- With the Sample API open, in the Manage section, clickSecurity.
- Select theGuestrole.
- Click theEntity Permissionstab.
- View the row filter in theRow Filterfield:"ident" not in (select o."ident" from "orders" ojoin "lineitems" l on l."order_ident" = o."ident"left join "products" p on p."name" = l."product_name"where p."is_secret" = true)
Each user is assigned the
Normal userrole, which in the Sample API, filters orders based on their amount. The global value that is referenced in the row filter specifies the exact amount for each user.
Best Practice:Assign a global to user-based rows, as shown in the Demo API Sample.
The following image shows the
auth token in the Sample API:Lincoln, A
This auth token defines a
maxAmountglobal value. The
user is assigned to theA. Lincoln
role. This role specifies theNormal user
permission for theAccess orders
table and uses theorders
global value in the row filter:maxAmount
Examine Security-Augmented SQL using the REST Lab
Verify the proper operation using logging and the REST Lab.
For more information:
Follow these steps:
- With the Sample API open, in the Manage section, clickAuth Tokens.
- Select theLincoln, Aauthentication token.
- Click theLoggingtab.
- Change the logging settingsAdministrationthroughResourcestoDebug, which are the typical logging settings, and then save your changes.
- In the Execute section, clickREST Lab.
- Issue a GET request for the
table with theorders
auth token by selecting theBroad access
endpoint, selecting theTable
table, choosing thesample:orders
authentication token, and then clickingLincoln, AGET.
You have verified the result and see the generated SQL.