Creating APIs‎ > ‎Security‎ > ‎

Security Examples

You can familiarize yourself with security using the following security examples. Browse the examples to get the basic idea.

Prerequisite: You understand authentication and authorization.

For more information, see Authentication and Authorization.

Complex Permission Predicates

In the following security example, the row filter ensures that Guests (authorized for the Guest role) do not see orders for secret parts such as Stealth Bolts. The row filter is a correlated sub query, as shown in the following code snippet:

ident not in (
  select _o.ident from orders _o  
    left join lineitems _l on _l.order_ident = _o.ident 
    left join products _p on _p.name = _l.product_name 
  where _p.is_secret = true)

The following image shows the row filter on the Manage, Roles, Permissions tab:

For more information about defining role permissions, see Roles.

Assign Globals

Each general User is assigned the General Role, which filters orders based on their amount. The exact amount for each user is specified by a global value, referenced from the row filter.

Best Practice: Assign a global to user-based rows, as shown in the Demo API Security.

The following image shows the Manage, Auth Tokens, Details tab:

In this example, the auth token defines a global value maxAmount. This user is assigned to the General User Role, which specifies the following Permission for the orders table.

For more information about auth token globals, see Authorization.

The following image shows the maxAmount Global value that we defined on the Manage, Roles, Permissions tab:

Examine Security-Augmented SQL using the REST Lab

Verify the proper operation using logging and the REST Lab.

For more information:

  1. Go to Manage, Auth Tokens, Logging tab and define the auth token with the following (typical) logging settings. The following image shows the Manage, Auth Tokens, Logging tab:
  2. Go to the REST Lab and issue a GET request for Orders with this auth token by clicking GET.
You have verified the result and see the generated SQL.