Security Examples

Security Examples
lac52
You can familiarize yourself with security using the security examples that are included with the Sample API.
In this article:
 
 
Verify Prerequisite
Before using the following security examples, ensure you understand authentication and authorization.
Complex Permission Predicates
In the following security example, the row filter ensures that guests (authorized for the 
Guest
 role) do not see orders for secret parts, such as Stealth Bolts. The row filter is a correlated sub query.
You can view an example of permissions in the Sample API.
Follow these steps:
 
  1. With the Sample API open, in the Secure section, click 
    API Roles
    .
  2. Select the 
    Guest
     role.
  3. Click the 
    Entity Permissions
     tab.
  4. View the row filter in the 
    Row Filter
     field:
    "ident" not in (
    select o."ident" from "orders" o
    join "lineitems" l on l."order_ident" = o."ident"
    left join "products" p on p."name" = l."product_name"
    where p."is_secret" = true)
Assign Globals
Each user is assigned the 
Normal user
 role, which in the Sample API, filters orders based on their amount. The global value that is referenced in the row filter specifies the exact amount for each user.
Best Practice:
 Assign a global to user-based rows, as shown in the Demo API Sample.
The following image shows the 
Lincoln, A
 auth token in the Sample API:
 
 
This auth token defines a 
maxAmount
 global value. The 
A. Lincoln
 user is assigned to the 
Normal user
 role. This role specifies the 
Access orders
 permission for the 
orders
 table and uses the 
maxAmount
 global value in the row filter:
 Screen Shot 2017-11-14 at 12.25.27 PM.png 
Examine Security-Augmented SQL using the REST Lab
Verify the proper operation using logging and the REST Lab.
For more information:
Follow these steps:
 
  1. With the Sample API open, in the Secure section, click 
    Auth Tokens
    .
  2. Select the 
    Lincoln, A
     authentication token.
  3. Click the 
    Logging
     tab.
  4. Change the logging settings 
    Administration
     through 
    Resources
     to 
    Debug
    , which are the typical logging settings, and then save your changes.
  5. In the Tools section, click 
    REST Lab
    .
  6. Issue a GET request for the 
    orders
     table with the 
    Broad access
     auth token by selecting the 
    Table
     endpoint, selecting the 
    sample:orders
     table, choosing the 
    Lincoln, A
     authentication token, and then clicking 
    GET
    .
You have verified the result and see the generated SQL.