> ## Documentation Index
> Fetch the complete documentation index at: https://docs.activeviam.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Database Access Control

There are two kinds of permissions used by the Database REST API:
[branch permissions](branch_permission) and table permissions.
They are independent and defined separately: the table permissions are not specific to a branch.

These permissions are sets of usernames or roles.
If a user has his name or one of his roles in the set then he has the permission.

To do an action a user needs both permissions:

* To read a field one needs the read permission on this field of the table and to be a reader of the branch
* To update a field one needs the write permission on this field and to be owner of the branch
* To insert/delete a line in a table, one needs the write permission on all the fields of the table,
  to be owner of the branch and the insertion/deletion must be activated in this table.

When discovering a table using the REST API, the result contains `canEdit`, `canInsert` and `canUpdate` fields.
These fields are user specific: the value depends on the global table permissions and the user permissions.

## Table and Field Permissions

The permissions can be defined at the table level or at the field level for more detailed permissions.
Each field has 2 sets: readers and writers.
Giving the permission to a table is equivalent to giving the permission for each field of that table.

Additionally each table can support insertion and deletion via the REST API.
This means that a user that has WRITER permissions on each field of the table can insert or delete rows.

These permissions are stored in a `ITableSecurity` which can be built like that:

```java theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
TableSecurityBuilder.startBuildingTableSecurity()
    .supportInsertion()
    .supportDeletion()
    .withTableWriters(ROLE_ADMIN)
    .withTableReaders(ROLE_USER)
    .addFieldPermission("currency", Collections.emptyList(), Arrays.asList(ROLE_USER))
    .build();
```

This table supports deletion and insertion.
ROLE\_ADMIN can read and edit all the fields. ROLE\_USER can read all the fields but only update the currency field,
which means that he is not allowed to insert or delete rows.

## Branch permissions

The [branch permission manager](branch_permission) controls the accesses to both the database and the cube.

## Starter

By default, [Atoti Server Starter](../starters/atoti_starter) does define any security on the database rest service.