Roles are the core of an attribute-based access control (ABAC) schema.
a native collection of user-defined
roles. These roles extend the built-in access roles,
Only resources with an
admin key can create or manage user-defined roles.
Roles are created in the current database. To establish the same roles
throughout a database hierarchy, you must separately create identical roles in
each child database that requires them.
Avoid using the deprecated, built-in
Unlike user-defined collections, the
Role collection has a predefined document
structure. The structure is system defined and immutable. Role documents are
accessed by their
name parameter, which makes the collection a part of the
subset of native collections known as
A role document structure has
associate a Fauna
resource with predefined, permitted
resource can be a
Collection, or user-defined function (UDF).
membership array authorizes users or processes to use the privileges.
Membership specifies a
Collection of members and an optional
function that validates members. Without this function, all collection members
have the role and its privileges.
Roles work together with one of the
collections. The following table explains how Fauna evaluates role
membership depending on whether the caller is attempting to
access resources by using a
Internal authentication by Fauna. Fauna evaluates stored
Internal authorization without the use of identity authentication.
Presentation of a Fauna key secret enables the caller. Only the role
External authentication by an identity provider (IdP). A third-party caller
supplies the JWT secret from the provider. The JWT is matched to an
|See the Role document definition|
Is this article helpful?
Tell Fauna how the article can be improved:
Thank you for your feedback!