Permission
TailorDB's permission system provides enhanced flexibility and performance for controlling access to your data. It introduces two key resources that work together to provide comprehensive access control:
Permission
- Record-level access controlGQLPermission
- GraphQL operation-level access control
The new permission system is recommended for all new applications. It addresses several limitations of the legacy permission system including better performance, support for non-UUID fields, and the ability to reference record values directly in permission rules.
Permission (Record-Level Control)
Permission
is defined within the Type resource and controls which users can operate on which records.
Basic Structure
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_tailordb_type" "example" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_workspace.demo.id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb.demo.namespace</span></span>
<span><span style="color: var(--shiki-color-text)"> name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Example"</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)"> fields </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-comment)"># field definitions</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)"> permission </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> create </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-comment)">/* policies */</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)"> read </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-comment)">/* policies */</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)"> update </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-comment)">/* policies */</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)"> delete </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-comment)">/* policies */</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
Permission Types
Each permission type has different semantics:
Read Permission
Read Permission act as automatic filters. Only records that match at least one policy can be retrieved.
<span><span style="color: var(--shiki-color-text)">permission </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> read </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"userId"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"_id"</span><span style="color: var(--shiki-color-text)"> } }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> permit </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"allow"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Users can read their own records"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
Create/Update/Delete Permissions
These Permissions act as validation rules. If a record doesn't match any policy, the operation is prohibited and returns a permission denied error.
<span><span style="color: var(--shiki-color-text)">permission </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> create </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"role"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"ADMIN"</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> permit </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"allow"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Administrators can create any record"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
Policy Evaluation
Multiple policies can be defined for each permission type. The evaluation follows these rules:
- Explicit allow required: If no policy matches, access is denied by default (implicit deny)
- Explicit deny takes precedence: A policy with
permit = "deny"
always overrides allow policies - All conditions must match: Within a policy, all conditions must be satisfied for the policy to match
Operands
The following operands can be used in conditions:
record
Uses the value of a specified field from the record. Cannot be used in Update Permission (use old_record
or new_record
instead).
Supported field types: String
, UUID
, Enum
, Boolean
, and their array forms.
<span><span style="color: var(--shiki-token-comment)"># Check if the record's status is "TODO"</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"status"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"TODO"</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span></span>
old_record
/ new_record
Used in Update Permission to reference the existing or updated record values. Cannot be used in Create/Read/Delete Permissions.
The supported field types are the same as for record
.
<span><span style="color: var(--shiki-token-comment)"># Check if the old record's assigneeId matches the user ID</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { old_record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"assigneeId"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"_id"</span><span style="color: var(--shiki-color-text)"> } }</span></span>
<span></span>
user
Uses the value of a specified field from the user's AttributeMap (defined in the Auth service).
<span><span style="color: var(--shiki-token-comment)"># Check if the user's role is "ADMIN"</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"role"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"ADMIN"</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span></span>
value
Uses a specified value directly. Supports String
, Boolean
, and their array types.
<span><span style="color: var(--shiki-token-comment)"># Check if the record's status is in a specific set of values</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"status"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"in"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string_array </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-string-expression)">"TODO"</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string-expression)">"IN_PROGRESS"</span><span style="color: var(--shiki-color-text)">] } } }</span></span>
<span></span>
Operators
The following operators are supported:
eq
/ ne
Equality and inequality comparison.
<span><span style="color: var(--shiki-token-comment)"># Check if the record's status is "TODO"</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"status"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"TODO"</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-token-comment)"># Check if the user's role is not "ADMIN"</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"role"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"ne"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"ADMIN"</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span></span>
in
/ nin
Array membership and non-membership.
<span><span style="color: var(--shiki-token-comment)"># Check if the record's status is in a set of values</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"status"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"in"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string_array </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-string-expression)">"TODO"</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string-expression)">"IN_PROGRESS"</span><span style="color: var(--shiki-color-text)">] } } }</span></span>
<span><span style="color: var(--shiki-token-comment)"># Check if the user's role is not in a set of values</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"role"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"nin"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string_array </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-string-expression)">"GUEST"</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string-expression)">"USER"</span><span style="color: var(--shiki-color-text)">] } } }</span></span>
<span></span>
Complete Example
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_tailordb_type" "task" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_workspace.demo.id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb.demo.namespace</span></span>
<span><span style="color: var(--shiki-color-text)"> name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Task"</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)"> fields </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> title </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> type </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"string"</span></span>
<span><span style="color: var(--shiki-color-text)"> required </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-constant)">true</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Task title"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> status </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> type </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"enum"</span></span>
<span><span style="color: var(--shiki-color-text)"> allowed_values : [</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"TODO"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Task is pending"</span></span>
<span><span style="color: var(--shiki-color-text)"> },</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"IN_PROGRESS"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Task is currently being worked on"</span></span>
<span><span style="color: var(--shiki-color-text)"> },</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"DONE"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Task has been completed"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> hooks </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> create </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"'TODO'"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Task status"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> assigneeId </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> type </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"uuid"</span></span>
<span><span style="color: var(--shiki-color-text)"> hooks </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> create </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"user.id"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"ID of the user assigned to this task"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)"> permission </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> create </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"role"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"ADMIN"</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> permit </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"allow"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Administrators can create any task"</span></span>
<span><span style="color: var(--shiki-color-text)"> },</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"assigneeId"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"_id"</span><span style="color: var(--shiki-color-text)"> } },</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"status"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"TODO"</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> permit </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"allow"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Users can create tasks assigned to themselves with TODO status"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> read </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"role"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"ADMIN"</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> permit </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"allow"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Administrators can read all tasks"</span></span>
<span><span style="color: var(--shiki-color-text)"> },</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"assigneeId"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"_id"</span><span style="color: var(--shiki-color-text)"> } }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> permit </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"allow"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Users can read tasks assigned to them"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> update </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"role"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"ADMIN"</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> permit </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"allow"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Administrators can update any task"</span></span>
<span><span style="color: var(--shiki-color-text)"> },</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { old_record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"assigneeId"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"_id"</span><span style="color: var(--shiki-color-text)"> } },</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { new_record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"assigneeId"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"_id"</span><span style="color: var(--shiki-color-text)"> } }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> permit </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"allow"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Users can update tasks assigned to them"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> delete </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"role"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"ADMIN"</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> permit </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"allow"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Administrators can delete any task"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
GQLPermission (GraphQL-Level Control)
GQLPermission
is defined as a separate resource and controls which users can execute specific GraphQL operations. This setting does not affect SQL execution via the Function service.
Basic Structure
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_tailordb_gql_permission" "example" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_workspace.demo.id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb.demo.namespace</span></span>
<span><span style="color: var(--shiki-color-text)"> type </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb_type.example.name</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)"> policies </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-comment)">/* conditions */</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)"> actions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-comment)">/* actions */</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)"> permit </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"allow"</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-comment)"># or "deny"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Policy description"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
Conditions
The method for defining Conditions is basically the same as Permission
. Just note that record
/ old_record
/ new_record
operands are not available here.
Actions
Each GraphQL operation is categorized into the following actions:
Action | GraphQL operation |
---|---|
all | All GraphQL operations for the type |
create | create<Type> mutation |
read | get<Type> , get<Type>By , list<Type>s queries |
update | update<Type> mutation |
delete | delete<Type> mutation |
aggregate | aggregate<Type> query |
bulk_upsert | bulkUpsert<Type> , bulkUpsert<Type>By mutations |
Complete Example
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_tailordb_gql_permission" "task" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_workspace.demo.id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb.demo.namespace</span></span>
<span><span style="color: var(--shiki-color-text)"> type </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb_type.task.name</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)"> policies </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"role"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"ADMIN"</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> actions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-string-expression)">"all"</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)"> permit </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"allow"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Administrators have full access to all GraphQL operations"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)"> { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"_loggedIn"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { boolean </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-constant)">true</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> actions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-string-expression)">"create"</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string-expression)">"read"</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string-expression)">"update"</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)"> permit </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"allow"</span></span>
<span><span style="color: var(--shiki-color-text)"> description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"Authenticated users can create, read, and update tasks"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
Auth Integration
User attributes referenced in permissions are defined through the Auth service configuration.
User Profile Configuration
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_auth_user_profile_config" "user" {</span></span>
<span><span style="color: var(--shiki-color-text)"> tailordb_config </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb.demo.namespace</span></span>
<span><span style="color: var(--shiki-color-text)"> type </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb_type.user.name</span></span>
<span><span style="color: var(--shiki-color-text)"> username_field </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"email"</span></span>
<span><span style="color: var(--shiki-color-text)"> attribute_map </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-comment)"># Reference the value of the role field as "role" using the "user" operand</span></span>
<span><span style="color: var(--shiki-color-text)"> role </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"role"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
Machine User Configuration
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_auth_machine_user" "admin" {</span></span>
<span><span style="color: var(--shiki-color-text)"> name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"admin"</span></span>
<span><span style="color: var(--shiki-color-text)"> attribute_map </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-comment)"># Set the role attribute to "ADMIN"</span></span>
<span><span style="color: var(--shiki-color-text)"> role </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"ADMIN"</span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
Built-in User Attributes
In addition to custom attributes, two built-in fields are always available:
_id
The user's unique identifier.
<span><span style="color: var(--shiki-token-comment)"># Check if the user ID matches the record's assigneeId</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"_id"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"assigneeId"</span><span style="color: var(--shiki-color-text)"> } }</span></span>
<span></span>
_loggedIn
Boolean indicating whether the user is authenticated.
<span><span style="color: var(--shiki-token-comment)"># Check if the user is logged in</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"_loggedIn"</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"eq"</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { boolean </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-constant)">true</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span></span>
SQL Operation Behavior
Unlike GQLPermission
, Permission
is enforced at the SQL level as well.
For detailed information about how the settings affect SQL operations when accessing TailorDB via the Function service, see Permission Enforcement.
GraphQL Operation Behavior
When accessing TailorDB via GraphQL, Permission
required for each operation is determined based on the corresponding equivalent SQL:
Create Operations
<span><span style="color: var(--shiki-token-keyword)">mutation</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> createTask(input: { </span><span style="color: var(--shiki-token-string)">title</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">"New task"</span><span style="color: var(--shiki-color-text)"> }) {</span></span>
<span><span style="color: var(--shiki-color-text)"> id</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
SQL Equivalent: INSERT INTO "Task" ("title") VALUES ('New task') RETURNING "id"
Required Permissions:
- Permission: Create, Read (for returning created record)
- GQLPermission: Create
Read Operations
<span><span style="color: var(--shiki-token-keyword)">query</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> tasks(query: { </span><span style="color: var(--shiki-token-string)">status</span><span style="color: var(--shiki-color-text)">: { </span><span style="color: var(--shiki-token-string)">eq</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">"TODO"</span><span style="color: var(--shiki-color-text)"> } }, first: </span><span style="color: var(--shiki-token-constant)">10</span><span style="color: var(--shiki-color-text)">) {</span></span>
<span><span style="color: var(--shiki-color-text)"> edges {</span></span>
<span><span style="color: var(--shiki-color-text)"> node { id, title }</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
SQL Equivalent: SELECT "id", "title" FROM "Task" WHERE "status" = 'TODO' LIMIT 10
Required Permissions:
- Permission: Read
- GQLPermission: Read
Update Operations
<span><span style="color: var(--shiki-token-keyword)">mutation</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> updateTask(</span></span>
<span><span style="color: var(--shiki-color-text)"> id: </span><span style="color: var(--shiki-token-string-expression)">"<uuid>"</span></span>
<span><span style="color: var(--shiki-color-text)"> input: { </span><span style="color: var(--shiki-token-string)">status</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">"DONE"</span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> condition: { </span><span style="color: var(--shiki-token-string)">status</span><span style="color: var(--shiki-color-text)">: { </span><span style="color: var(--shiki-token-string)">eq</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">"IN_PROGRESS"</span><span style="color: var(--shiki-color-text)"> } }</span></span>
<span><span style="color: var(--shiki-color-text)"> ) {</span></span>
<span><span style="color: var(--shiki-color-text)"> id</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
SQL Equivalent: UPDATE "Task" SET "status" = 'DONE' WHERE "id" = 'uuid' AND "status" = 'IN_PROGRESS' RETURNING "id"
Required Permissions:
- Permission: Update, Read (for candidate record retrieval and returning updated record)
- GQLPermission: Update
Delete Operations
<span><span style="color: var(--shiki-token-keyword)">mutation</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> deleteTask(id: </span><span style="color: var(--shiki-token-string-expression)">"<uuid>"</span><span style="color: var(--shiki-color-text)">)</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
SQL Equivalent: DELETE FROM "Task" WHERE "id" = 'uuid'
Required Permissions:
- Permission: Delete, Read (for candidate record retrieval)
- GQLPermission: Delete
Bulk Upsert Operations
<span><span style="color: var(--shiki-token-keyword)">mutation</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> bulkUpsertTasksBy(</span></span>
<span><span style="color: var(--shiki-color-text)"> field: title</span></span>
<span><span style="color: var(--shiki-color-text)"> input: [</span></span>
<span><span style="color: var(--shiki-color-text)"> { </span><span style="color: var(--shiki-token-string)">title</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">"Task 1"</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string)">status</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">"TODO"</span><span style="color: var(--shiki-color-text)"> },</span></span>
<span><span style="color: var(--shiki-color-text)"> { </span><span style="color: var(--shiki-token-string)">title</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">"Task 2"</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string)">status</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">"DONE"</span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> ]</span></span>
<span><span style="color: var(--shiki-color-text)"> )</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
SQL Equivalent: INSERT INTO "Task" ("title", "status") VALUES ('Task 1', 'TODO'), ('Task 2', 'DONE') ON CONFLICT ("title") DO UPDATE SET "status" = EXCLUDED."status"
Required Permissions:
- Permission: Create (INSERT case), Update + Read (UPDATE case)
- GQLPermission: BulkUpsert
Aggregate Operations
<span><span style="color: var(--shiki-token-keyword)">query</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> aggregateTasks {</span></span>
<span><span style="color: var(--shiki-color-text)"> groupBy { status }</span></span>
<span><span style="color: var(--shiki-color-text)"> count</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
SQL Equivalent: SELECT "status", COUNT(*) FROM "Task" GROUP BY "status"
Required Permissions:
- Permission: Read
- GQLPermission: Aggregate
Compatibility
- When both
Permission
andRecordPermission
are defined,Permission
takes precedence - When both
GQLPermission
andTypePermission
are defined,GQLPermission
takes precedence - This ensures backward compatibility while enabling gradual migration