graphql-engine/docs/graphql/manual/auth/authorization/index.rst

49 lines
1.5 KiB
ReStructuredText
Raw Normal View History

2019-05-17 15:03:35 +03:00
Authorization / Access control
==============================
.. contents:: Table of contents
:backlinks: none
:depth: 1
:local:
Overview
--------
Hasura supports **role-based** authorization where access control is done by creating rules for each role,
table and operation (*insert*, *update*, etc.). These access control rules use dynamic session
2019-09-11 10:17:14 +03:00
variables that are passed to the GraphQL engine from your :doc:`authentication service <../authentication/index>`
2019-05-17 15:03:35 +03:00
with every request. Role information is inferred from the ``X-Hasura-Role`` and ``X-Hasura-Allowed-Roles``
session variables. Other session variables can be passed by your auth service as per your requirements.
**For example:**
.. thumbnail:: ../../../../img/graphql/manual/auth/hasura-perms.png
:width: 80 %
:alt: Create a permission rule
2019-05-17 15:03:35 +03:00
2019-09-11 10:17:14 +03:00
Trying out access control
2019-05-17 15:03:35 +03:00
-------------------------
If you just want to see role-based access control in action, you need not set up or integrate your
2019-09-11 10:17:14 +03:00
auth service with GraphQL engine. You can just:
2019-05-17 15:03:35 +03:00
* Define permission rules for a table for a role.
* Use the GraphiQL interface in the console to make a request and send the session variables as
request headers (*send a* ``X-Hasura-Role`` *key, with its value as the name of the role you've
defined rules for*). The data in the response will be restricted as per your configuration.
Follow the example at :doc:`access control basics <basics>`.
**See:**
.. toctree::
:maxdepth: 1
basics
roles-variables
permission-rules
common-roles-auth-examples
2019-12-26 15:05:37 +03:00
role-multiple-rules