Skip to main content

Datastore Access Control

There are two kinds of permissions used by the datastore REST API : branch permissions and store permissions. They are independent and defined separately : the store permissions are not specific to a branch.

These permissions are sets of usernames or roles. If a user has his name or one of his roles in the set then he has the permission.

To do an action a user need both permissions :

  • To read a field one needs the read permission on this field of the store and to be a reader of the branch
  • To update a field one needs the write permission on this field and to be owner of the branch
  • To insert/delete a line in a store, one needs the write permission on all the fields of the store, to be owner of the branch and the insertion/deletion must be activated in this store.

When discovering a store using the REST API, the result contains canEdit, canInsert and canUpdate fields. These fields are user specific : the value depends on the global store permissions and the user permissions.

Store and Field Permissions

The permissions can be defined at the store level or at the field level for more detailed permissions. Each field has 2 sets : readers and writers. Giving the permission to a store is equivalent to giving the permission for each field of that store.

Additionally each store can support insertion and deletion via the REST API. This means that a user that has WRITER permissions on each field of the store can insert or delete rows.

These permissions are stored in a IStoreSecurity which can be built like that :

StoreSecurityBuilder.startBuildingStoreSecurity()
        .supportInsertion()
        .supportDeletion()
        .withStoreWriters(ROLE_ADMIN)
        .withStoreReaders(ROLE_USER)
        .addFieldPermission("currency", Collections.emptyList(), Arrays.asList(ROLE_USER))
        .build();

This store supports deletion and insertion. ROLE_ADMIN can read and edit all the fields. ROLE_USER can read all the fields but only update the currency field, which means that he is not allowed to insert or delete rows.

Branch permissions

The branch permission manager controls the accesses to both the datastore and the cube.