Demo API Security

The Demo API Security defines a SalesRep role that provides fine-grained access control to purchaseorders:
  • Filters purchaseorders for the current Sales Rep (applies to Sales Reps only).
  • Disables update access to the paid attribute.

Background - row filtering based on "user" table values

The employee object in the following image has a unique key on login. We want to be able to use the employee values to filter rows in other tables. In this example, we want to filter purchaseorders whose salesep_id matches the employee_id of the currently logged in employee.

Implement Row Filtering

Implement row filtering as described in the following subsections.

Define SalesRep role, associate employee row using Global

To apply the security to only SalesReps, define a role and a global named SalesRepContext that selects the desired employee row, using the current users login credentials (_apikey.user_identifier). Selecting the Required checkbox throws an error if a row is not found.

The following image shows the Manage, Roles, Globals page:

Define Table Filter using Global value

Use the SalesRepContext global in the Permissions for table purchaseorder. The predicate refers to the Global using the @{<globalName>.<globalAttribute>} syntax. In this case, the attribute is the employee_id from the employee row that was obtained. The SalesRep role does not authorize update.

When the predicate is accessed by users assigned to the SalesRep role, it is merged into all resources defined for purchaseorder . You can also use such global-parameterized filters for a specific resource.

The following image shows the Manage, Roles, Permissions page:

Column Access Permissions

Authorize update by defining an additional permission, as shown in the following image, omitting the paid column: