Check out v4 of the Fauna CLI
v4 of the Fauna CLI is now in beta. The new version introduces enhancements to the developer experience, including an improved authentication workflow. To get started, check out the CLI v4 quick start. |
FSL role schema
Learn: Roles |
---|
This page covers the FSL syntax for role schemas. For an overview of user-defined roles, see Roles. |
An FSL role schema defines a user-defined role.
Fauna uses secrets for authentication and authorization. Roles determine a secret’s privileges, which control data access.
role manager {
membership Manager
membership User {
predicate (user => user.accessLevel == 'manager')
}
privileges Product {
create
read
write
delete
}
privileges User {
read {
predicate (doc => Query.identity() == doc)
}
}
privileges getOrCreateCart {
call
}
privileges checkout {
call {
predicate ((args) => {
let order = Order.byId(args[0])!
order?.customer == Query.identity()
})
}
}
}
You can create and manage schema using any of the following:
-
The Fauna CLI
-
The Fauna Dashboard
-
The Fauna Core HTTP API’s Schema endpoints
Fauna stores each role schema as an FQL document in the
Role
system collection.
FSL syntax
role <role> {
[membership <collection> [{
predicate <predicate>
}] . . .]
[privileges <resource> {
<action> [{
predicate <predicate>
}] . . .
} . . .]
}
Name
- role Required
-
Unique name for the role in the database.
Must begin with a letter. Can only include letters, numbers, and underscores.
admin
,server
, andserver-readonly
are reserved and can’t be used.
Properties
Property | Required | Description |
---|---|---|
membership |
Assigns the role to tokens based on the token’s identity document. See Membership definition. |
|
privileges |
Allows one or more actions on a resource. See Privileges definition. |
Membership definition
role manager {
membership Manager
membership User {
predicate (user => user.accessLevel == 'manager')
}
...
}
Property | Required | Description |
---|---|---|
collection |
Yes |
Name of a user-defined collection. Fauna assigns the role to tokens with an identity document in the collection. |
predicate |
Predicate used to
conditionally assign the role. If the predicate is not The predicate is passed one argument: an object containing the token’s identity document. The predicate runs with the built-in |
Privileges definition
role manager {
...
privileges Product {
create
read
write
delete
}
privileges User {
read {
predicate (doc => Query.identity() == doc)
}
}
...
}
Property | Required | Description |
---|---|---|
resource |
Yes |
Name of a collection or user-defined function (UDF). Supports user-defined collections and the following system collections:
|
action |
Yes |
Type of operation allowed on the resource. Privileges support different actions based on the resource type. See Privilege actions. |
predicate |
Predicate used to
conditionally grant the privilege. If the predicate is not Privilege predicates are passed different arguments based on their action. See Privilege predicate arguments. The predicate runs with the built-in |
Privilege actions
Privileges support different actions based on their resource type.
Resource type | Action | Allows you to … |
---|---|---|
Collection |
|
Create documents in the collection. To create documents with a custom
|
Collection |
|
Delete documents in the collection. |
Collection |
|
Read documents in the collection. Can also
call the collection’s indexes. To read
historical document snapshots, you must also have the |
Collection |
|
Update or replace documents in the collection. |
Collection |
|
Create documents with a custom |
Collection |
|
Read snapshots for documents in the collection. See Run a temporal query. |
User-defined function (UDF) |
|
Call the function. |
Privilege predicate arguments
Privilege predicates are passed different arguments based on their action.
Action | Predicate function signature |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
Examples
role manager {
// Assign the `manager` role to tokens with
// an identity document in the `Manager` collection.
membership Manager
// If the predicate is `true`,
// assign the `manager` role to tokens with
// an identity document in the `User` collection.
membership User {
// Check that the identity document's
// `accessLevel` field value is `manager`
predicate (user => user.accessLevel == 'manager')
}
// Grant full access to `OrderItem` collection documents.
privileges OrderItem {
create
read
write
delete
}
// Grant `read` access to `Customer` collection documents.
privileges Customer {
read
}
// If the predicate is `true`,
// grant `read` access to `Manager` collection documents.
privileges Manager {
read {
predicate (doc =>
// Check that the `ManagerProfile` document
// is the token's identity document.
// `Query.identity()` is `null` (falsy) for JWTs or keys.
Query.identity() == doc &&
// Check that it's a weekday.
Date.today().dayOfWeek < 6
)
}
}
// Grant the ability to call the user-defined
// `getOrCreateCart()` function.
privileges getOrCreateCart {
call
}
// If the predicate is `true`,
// grant the ability to call the user-defined
// `submitOrder()` function.
privileges checkout {
call {
// Check that the `orderId` (`args[0]`) belonds to the user.
// `Query.identity()` is `null` for JWTs or keys.
predicate ((args) => {
let order = Order.byId(args[0])!
order?.customer == Query.identity()
})
}
}
}
Is this article helpful?
Tell Fauna how the article can be improved:
Visit Fauna's forums
or email docs@fauna.com
Thank you for your feedback!