Graphql-engine: allow configuring permissions globally

Created on 13 Aug 2018 · 5Comments · Source: hasura/graphql-engine

Useful when we would like to apply some rule to all roles and all tables. For example, limiting the maximum number of rows selectable in a single query. See https://github.com/hasura/graphql-engine/issues/178#issuecomment-411491158

auth console server intermediate enhancement mockup-required 🖊️ medium

Source

0x777

👍9

Most helpful comment

Hello, any updates on this feature?
We would really like to have some sort of inheritance as requested in #611.
Specifically, our use case is to have a role behaving like a superset of another:

_customers_ can create and update submissions
_employees_ can do everything _customers_ can do plus some additional privileges.

We can easily duplicate permissions, but maintaining the same permissions on multiple roles can be tedious if the spec changes

reegodev on 2 Mar 2020

👍4

All 5 comments

This is an important feature for teams with large datasets (# of tables and rows, both).

The DX during development is not great as exposing the API for frontend development can cause the DB/Hasura instances to crash
This will also be useful for orgs who expose the GraphQL API to their clients

dsandip on 6 Aug 2019

👍4

More feedback from the community: permissions applicable to all tables in a schema

dsandip on 27 Dec 2019

Hello, any updates on this feature?
We would really like to have some sort of inheritance as requested in #611.
Specifically, our use case is to have a role behaving like a superset of another:

_customers_ can create and update submissions
_employees_ can do everything _customers_ can do plus some additional privileges.

We can easily duplicate permissions, but maintaining the same permissions on multiple roles can be tedious if the spec changes

reegodev on 2 Mar 2020

👍4

Hoping this feature is being considered for next release...this is a big issue when you have a large amount of tables across hundreds of customers and the metadata starts getting really large. Making changes to the metadata becomes a performance issue. Being able to specify a single set of permissions universally applies to all tables would reduce size considerably.

Even then, there needs to be a patch_metadata() api so that only changes can be applied to the metadata, instead of needing to use replace_metadata() with the entirety of the contents (which gets very large and slow). Hoping these 2 features can make it into next release (or next next release) as they will go a long way to allowing scalability for large numbers of customers/table changes on a single instance.

ElixirMike on 6 Aug 2020

👍3

Would really love to see some updates on this feature as well. It's a hassle to manage permissions on nested objects, where the nested objects need to "inherit" the permissions of the parent object (or some global permissions). Seems like there should be a straightforward way to do this via hasura's relationships.

Basically if I have two tables Parent and Child, where Child has a foreign key for Parent (aka Parent has many Children) and Parent has insert/select/update/delete permissions for role X, I'd like a one-click way to apply Parent's permissions for the same action/role to Child, merged with whatever other permissions you've set on Child. This should be done by reference, not just copying Parent's permissions, so that if the Parent's permissions change, the Child permissions update automatically.