Permissions
The content on this page describes the "legacy" permissions system within Fauna. Instead, you should use Attribute-based access control (ABAC), which provides far greater control over the groups of users that should have access and the kinds of access that they should receive. |
Fauna has a built-in permissions system that allows for fine-grained control over access to data.
Access is controlled by a resource’s permissions
object. The identity
of a request’s key is checked against the value of the permission field
corresponding to the resource and action being taken.
Permission fields may be set to one of the following values:
Value | Access Allowed | ||
---|---|---|---|
empty |
Only admin or server keys are allowed. |
||
|
Any key is allowed.
|
||
document ref |
Only tokens belonging to the specified document are allowed. |
||
collection ref |
Only tokens belonging to documents in the specified collection are allowed. |
Beginning with Fauna 2.11.0, the Fauna access control logic has been changed to use attribute-based access control (ABAC) roles, or the key-based permission system, but never both. If a resource is a member of an ABAC role, the ABAC role specifies all privileges for that resource. Otherwise, the key-based permission system determines whether read/write/execute privileges are enabled. For example, when an ABAC role includes a user-defined function as a
member, that function cannot be called unless the ABAC privileges permit
the |
Collection permissions
Creating, reading, and modifying a document in a collection is controlled by the collection’s permissions. Applicable fields on a collection are:
Permission field | Action allowed |
---|---|
|
Permits creating a document in the collection. |
|
Permits reading documents in the collection. |
|
Permits writing to documents in the collection. |
A document also has permissions, which are applied in addition to permissions defined on its collection. The permissions on a document may contain these fields:
Permission field | Action allowed |
---|---|
|
Permits reading this document. |
|
Permits writing to this document. |
User-defined function permissions
Calling a function is controlled by its permissions. Applicable fields are:
Permission field | Action allowed |
---|---|
|
Permits calling the function. |
Index permissions
Query access to an index is controlled by its permissions. Applicable fields are:
Permission field | Action allowed |
---|---|
|
Permits querying the index. |
Is this article helpful?
Tell Fauna how the article can be improved:
Visit Fauna's forums
or email docs@fauna.com
Thank you for your feedback!