Demo API Security

The Demo API Security defines a SalesRep role that provides fine-grained access control to purchaseorders:
  • Filters purchaseorders for the current Sales Rep (applies to Sales Reps only).
  • Disables update access to the paid attribute.

Background - row filtering based on "user" table values

The employee object in the following image has a unique key on login. We want to be able to use the employee values to filter rows in other tables. In this example, we want to filter purchaseorders whose salesep_id matches the employee_id of the currently logged in employee.

Implement Row Filtering

Implement row filtering as described in the following subsections.

Define SalesRep role, associate employee row using Global

To apply the security to only SalesReps, define a role and a global named SalesRepContext that selects the desired employee row, using the current users login credentials (_apikey.user_identifier). To throw an error if a row is not found, select the Required checkbox.

The following image shows the current_employee_row global on the Manage, Roles, Globals tab:

Define Table Filter using Global Value

Use the SalesRepContext global in the Permissions for table purchaseorder. The predicate refers to the Global using the @{<globalName>.<globalAttribute>} syntax. In this case, the attribute is the employee_id from the employee row that was obtained. The SalesRep role does not authorize update.

When the predicate is accessed by users assigned to the SalesRep role, it is merged into all resources defined for purchaseorder . You can also use such global-parameterized filters for a specific resource.

The following image shows the My Orders - no update of paid flag permission on the Manage, Roles, Permissions tab:

Define a Column Access Permission

Authorize update by defining an additional permission. The following image shows the My Orders Write permission, omitting the paid column, on the Manage, Roles, Permissions tab: