Permissions

FaunaDB has a built-in permissions system that allows for fine-grained control over access to data.

Access is controlled by a resource’s permissions object. The identity of a request’s key is checked against the value of the permission field corresponding to the resource and action being taken.

Permission fields may be set to one of the following values:

Value Access Allowed

empty

Only server keys are allowed.

public

Any key is allowed.

Client keys and roles, and public permissions are deprecated as of the 2.12.0 release. You should use the Attribute-based access control (ABAC) system instead,

See Deprecations for more details.

document ref

Only tokens belonging to the specified document are allowed.

collection ref

Only tokens belonging to documents in the specified collection are allowed.

Beginning with FaunaDB 2.11.0, the FaunaDB access control logic has been changed to use attribute-based access control (ABAC) roles, or the key-based permission system, but never both.

If a resource is a member of an ABAC role, the ABAC role specifies all privileges for that resource. Otherwise, the key-based permission system determines whether read/write/execute privileges are enabled.

For example, when an ABAC role includes a user-defined function as a member, that function cannot be called unless the ABAC privileges permit the call action.

Collection permissions

Creating, reading, and modifying a document in a collection is controlled by the collection’s permissions. Applicable fields on a collection are:

Permission Field Action Allowed

create

Creating a document in the collection.

read

Reading documents in the collection.

write

Writing to document in the collection.

A document also has permissions, which are applied in addition to permissions defined on its collection. The permissions on a document may contain these fields:

Permission Field Action Allowed

read

Reading this document.

write

Writing to this document.

User-defined function permissions

Calling a function is controlled by its permissions. Applicable fields are:

Permission Field Action Allowed

call

Calling the function.

Index permissions

Query access to an index is controlled by its permissions. Applicable fields are:

Permission Field Action Allowed

read

Querying the index.

Was this article helpful?

We're sorry to hear that.
Tell us how we can improve!
Visit Fauna's Discourse forums or email docs@fauna.com

Thank you for your feedback!