You can familiarize yourself with security using the security examples that are included with the Sample API.
In this article:
Before using the following security examples, ensure you understand authentication and authorization.
For more information, see Authorization and Role-Based Endpoint Access.
Complex Permission Predicates
In the following security example, the row filter ensures that guests (authorized for the
Guestrole) do not see orders for secret parts, such as Stealth Bolts. The row filter is a correlated sub query.
You can view an example of permissions in the Sample API.
Follow these steps:
- With the Sample API open, in the Secure section, clickAPI Roles.
- Select theGuestrole.
- Click theEntity Permissionstab.
- View the row filter in theRow Filterfield:"ident" not in (select o."ident" from "orders" ojoin "lineitems" l on l."order_ident" = o."ident"left join "products" p on p."name" = l."product_name"where p."is_secret" = true)
Each user is assigned the
Normal userrole, which in the Sample API, filters orders based on their amount. The global value that is referenced in the row filter specifies the exact amount for each user.
Best Practice:Assign a global to user-based rows, as shown in the Demo API Sample.
The following image shows the
Lincoln, Aauth token in the Sample API:
This auth token defines a
maxAmountglobal value. The
A. Lincolnuser is assigned to the
Normal userrole. This role specifies the
Access orderspermission for the
orderstable and uses the
maxAmountglobal value in the row filter:
Examine Security-Augmented SQL using the REST Lab
Verify the proper operation using logging and the REST Lab.
For more information:
Follow these steps:
- With the Sample API open, in the Secure section, clickAuth Tokens.
- Select theLincoln, Aauthentication token.
- Click theLoggingtab.
- Change the logging settingsAdministrationthroughResourcestoDebug, which are the typical logging settings, and then save your changes.
- In the Tools section, clickREST Lab.
- Issue a GET request for theorderstable with theBroad accessauth token by selecting theTableendpoint, selecting thesample:orderstable, choosing theLincoln, Aauthentication token, and then clickingGET.
You have verified the result and see the generated SQL.