Permissions (beta)

Permissions can be used to restrict access for specific features, so only authorized users can access them. In principle, a User needs a connection to a Permission to be able to access functionalities that require that Permission.

Permissions are defined as nodes with an IA_Permission label, and can have the following properties:

Key Description Value
error Error message to display when access is denied. string
expression Javascript expression to evaluate whether the user should have access. * Javascript string
query Query to execute against the application store to determine whether the user should have access. * Query language should match the specified store. Query string
store The name of the store on which to execute the specified query. Defaults to application. string
name The name of the Permission. If set to a built-in Permission name (see below), it will be used to determine access the specified Graphileon core functionality. string

* Queries should return only one row with an allow (boolean) column, that determines the user's access. Expressions can either return a boolean directly, or an array with a single object containing an allow property (similar structure to the query result).

* Both queries and expressions can use parameters, prefixed with $ (e.g. $myParam === 123). Parameter values are filled in by REQUIRE relations to the Permission, similar to how Triggers fill in parameter values for Functions.

Reserved permission names

There are a number of permission names that are used to control access to Graphileon core. Basic CRUD (create/read/update/delete) permissions are common to all entity types listed below. For example, all listed entities have the read permission. The full name of the read permission for the User entity would be user:read, whereas for Dashboard it would be dashboard:read.

The CRUD permissions below can be applied to any of these entity types: app, dashboard, diagram, file, function, node, permission, profile, relation, store, team, token, trigger, user and style.

Permission Allows to Context Examples
create Create an entity The entity to create user:create, trigger:create
delete Delete an entity The entity to delete user:delete, trigger:delete
read Read an entity The entity to read user:read, trigger:read
write Create/update/delete an entity The entity to write user:write, trigger:write

CRUD Exceptions

Permission Note
app:{permission} For all App CRUD permissions, please refer to the App data structure.
function:read Is granted automatically to all logged-in users (no Permission node required).
user:delete Is granted automatically to any user attempting to delete their own User.
user:read Is granted automatically to any user attempting to read their own User data.

Additional permission names

Besides the basic CRUD permissions, Graphileon has the following reserved permission names:

Permission Allows to Context Notes
email:custom Write a custom email Email Function
language:translate Manage translations
query:custom Execute custom query function: Query Function node
queries: object
query:debug See query debug info
settings Manage settings
store:config-info Get installation info
store:test-connection Test connection to a store Store config
team:add-team Add team to other team parent: Parent team node
child: Child team node
team:add-user Add user to team team: Team node
user: User node
team:remove-team Remove team from other team parent: Parent team node
child: Child team node
team:remove-user Remove user from team team: Team node
user: User node
team:users List team user Team node
user:dev-mode Set own user to dev mode User node to update
user:review-request Review user registration requests User node to review
debug View debug information