Skip to main content

Data Permission Management

CloudBase provides a multi-level data permission management mechanism, ensuring data security while meeting the permission control requirements of different business scenarios.

🎯 Permission Management Framework

CloudBase data permission management includes three levels:

Permission TypeControl GranularityApplicable ScenariosConfiguration Complexity
Basic Permission ControlModel LevelSimple Permission RequirementsLow
Role PermissionsUser LevelOrganizational Structure PermissionsMedium
Security Rule PermissionsDocument LevelComplex Business LogicHigh

Permission Priority

Relationships between different permission types:

  • Role Permissions and Basic Permissions are combined as a union to form the final permissions.
  • Security Rule Permissions have the highest priority and override other permission settings.
  • Choose the appropriate permission management method based on business complexity.

🔧 Basic Access Control

Features

Basic Permission Control is the simplest permission management method, suitable for most common business scenarios:

  • Model-level Control: Apply uniform permissions to the entire data model.
  • Predefined Permission Templates: Provide common permission configuration templates.
  • Simple and Easy to Use: No need to write complex rule expressions.

Configuration Method

On the Data Model page in the CloudBase console, set corresponding permissions for each model:

Basic Permission Configuration

Permission Options

Based on the user's identity, select the corresponding permissions.

  • All users include anonymous users, external users, and internal users.
  • The actual permissions for an anonymous user are the maximum set of permissions from both "all users" and "anonymous users"; the same principle applies to external users and internal users.
  • Best Practice 1: Manage permissions exclusively through "all users"; set permissions for anonymous users, external users, and internal users to no access.
  • Best Practice 2: Delete the "all users" rules and manage permissions through granular roles.
Permission TypeApplicable Scenarios
Read all data and modify own dataPublic content, such as articles and products
Read and modify own dataPrivate data, such as user profiles
Read all data but cannot modify dataConfiguration data, such as system settings
No accessSensitive data, such as financial information

👥 Custom Role Permission Control

Feature Overview

Role-based permissions are a permission management approach based on organizational structure, suitable for hierarchical permission control in enterprise-level applications. It complements Basic Permission Control, with the final permissions being the union of both.

Core Features:

  • Support for Organizational Structure: Permission control based on departments and reporting relationships.
  • Role Inheritance: Supports hierarchical inheritance of permissions.
  • Flexible Combination: Combined with Basic Permissions as a union to provide more flexible permission configuration.

Configuration Steps

Step 1: Access Role Management

Access the Custom Roles Page to manage organizational structure and role definitions:

Role Management Entry

Step 2: Configure Row-level Permissions

Select the target role and click "Row Permission Settings" for detailed configuration:

Row Permission Settings

Permission Level Description

Permission LevelData ScopeApplicable ScenariosExample
View ownData where the Owner field is set to selfPersonal data managementEmployees can only view their own attendance records
View Self and SubordinatesData of self and subordinatesTeam managementSupervisors can view work reports of team members
View Own Department and Sub-departmentsData of own department and sub-departmentsDepartment managementDepartment managers view all projects within the department
View AllAll dataSystem managementAdministrators can view company-wide data

Permission Combination Rules

Relationship Between Read and Write Permissions

⚠️ Important: Row modification permission automatically includes read permission, meaning that having modification permission implies having read permission.

Permissions Union Calculation

Basic Permissions + Role Permissions = Final Permissions

Example Scenario:

Basic Permissions: Readable and writable only by the creator and administrators
Role Permissions: View All + No Modification Permission
─────────────────────────────────
Final Permissions: Can view all data, but can only modify the data they created

Practical Application Cases

Case 1: Blog Permissions

Business Requirements:

  • Can view everyone's blogs
  • Can update their own blogs

Basic Permission Configuration

All users/Read all data, Modify own data

Case 2: Project Management System

Business Requirements:

  • Project members can only view projects they participate in.
  • Project managers can manage the projects under their responsibility.
  • Department managers can view all projects within the department.

Basic Permission Configuration

All users/Read and modify own data

Role Permissions Configuration

RoleRole Data PermissionsRow Modification PermissionsFinal Effect
SalespersonView ownSelfCan only view and modify their own customers
Sales SupervisorView Self and SubordinatesSelf and subordinatesCan manage all customers of the team
Sales DirectorView AllView AllCan manage all customers

Permission Design Best Practices

1. Permissions Design Principles

  • Principle of Least Privilege: Grant only the minimum permissions required to complete the work
  • Separation of Duties: Different roles assume distinct data responsibilities
  • Permission Inheritance: Effectively leverage the hierarchical relationships of the organizational structure

2. Common Configuration Patterns

Read-only Extension Pattern:

Basic Permissions: Readable and writable only by the creator
Role Permissions: Expand viewable scope without granting modification permission
Effect: Expand data visibility while maintaining modification control

Administrator Mode:

Basic Permissions: Readable and writable only by the creator
Role Permissions: View All + Modify All
Effect: Administrators can manage all data

Department Isolation Pattern:

Basic Permissions: Readable and writable only by the creator
Role Permissions: View Own Department + Modify Own Department
Effect: Data isolation between departments and sharing within each department.

3. Notes

  • Permission Testing: Thoroughly test permissions for various roles before production deployment
  • Permission Auditing: Regularly inspect and adjust permission configurations
  • Documentation: Thoroughly document the business logic of permission design
  • Change Management: Permission changes must go through an approval process

🛡️ Security Rule Permissions

Feature Overview

Security rule permissions provide more flexible, scalable, and granular access control capabilities, supporting dynamic permission determination based on document content.

Core Features:

  • Document-level control: Access permissions can be determined based on the specific content of the document.
  • Expression-driven: Define permission logic using expressions similar to those in programming languages.
  • Dynamic permissions: Supports dynamic permission determination based on user identity, time, and data content.
  • Client-side only restriction: Restricts client-side user access without affecting server-side (Cloud Function) operations.

Configuration Entry

Switch to the Collection Management page and configure more granular security rules via Security Rule Permissions:

Security Rules Configuration

Rule Configuration Format

Security rules are configured in JSON format, with the basic structure as follows:

{
"read": "expression",
"write": "expression",
"create": "expression",
"update": "expression",
"delete": "expression"
}

Operation Types Description

Operation TypeDescriptionDefault ValueExample Scenario
readRead documentfalseQuery, retrieve documents
writeWrite document (General)falseDefault rule when no specific write operation is specified
createCreate documentInherits writeAdd new data
updateUpdate documentInherits writeModify existing data
deleteDelete documentInherits writeDelete data

💡 Rule Inheritance: If no specific write operation rules (create/update/delete) are specified, the write rule will be automatically applied.

Expression Syntax

Global Variables

Variable NameTypeDescriptionExample
authObjectUser login informationauth.openid, auth.uid
docObjectDocument data or query conditionsdoc.userId, doc.status
requestObjectRequest informationrequest.data
nowNumberCurrent timestampnow > doc.expireTime

User Identity Information (auth)

FieldTypeDescriptionApplicable Scenarios
openidStringWeChat user OpenIDWeChat Mini Program login
uidStringUser unique IDWeb login
loginTypeStringLogin methodTo distinguish between different login channels

Operator Support

OperatorDescriptionExampleUse Cases
==Equal toauth.uid == doc.userIdTo verify data owner
!=Not equal todoc.status != 'deleted'To exclude specific status
>, >=, <, <=Comparison operationsdoc.age >= 18Numeric range judgment
inInauth.uid in doc.editorsTo check if a user is in a list
&&Logical ANDauth.uid == doc.userId && doc.publishedCombining multiple conditions
||Logical ORauth.uid == doc.userId \|\| doc.publicMultiple access methods

Practical Application Example

1. Basic Permission Mapping

Readable by all users, writable only by the creator:

{
"read": true,
"write": "doc._openid == auth.openid"
}

Readable and writable only by the creator:

{
"read": "doc._openid == auth.openid",
"write": "doc._openid == auth.openid"
}

2. Complex Business Logic

Article Publishing System:

{
"read": "doc.published == true || doc.author == auth.uid",
"create": true,
"update": "doc.author == auth.uid",
"delete": "doc.author == auth.uid && doc.published == false"
}

Collaborative Document System:

{
"read": "auth.uid in doc.readers || auth.uid in doc.editors || doc.owner == auth.uid",
"write": "auth.uid in doc.editors || doc.owner == auth.uid"
}

3. Time Control

Limited-Time Event Data:

{
"read": "now >= doc.startTime && now <= doc.endTime",
"write": "doc.owner == auth.uid && now <= doc.endTime"
}

get Function: Cross-Document Permission Verification

Feature Description

The get()` function allows accessing data from other documents during permission verification, enabling complex cross-document permission control.

Syntax: `get('database.collection.documentID')

Usage Example

Role-Based Access Control:

{
"read": "get('database.user_roles.' + auth.uid).role in ['admin', 'editor']",
"write": "get('database.user_roles.' + auth.uid).role == 'admin'"
}

Associated Data Permissions:

{
"read": "auth.uid == get('database.projects.' + doc.projectId).owner"
}

Usage Limitations

  • A single expression can contain up to 3 get functions.
  • Up to 10 different documents can be accessed.
  • Maximum nesting depth: 2 levels
  • Additional database read operations will be generated (which will be billed).

Query Limitations and Optimization

Query Condition Requirements

Security rules require that query conditions must be a subset of the rules:

// Security Rules
{
"read": "doc.age > 10"
}

// ✅ Complies with rules (query conditions are a subset of the rules)
db.collection('users').where({
age: _.gt(15)
}).get()

// ❌ Does not comply with rules (query conditions exceed the scope of the rules)
db.collection('users').where({
age: _.gt(5)
}).get()

Document ID Query Refactoring

The traditional doc().get() query needs to be rewritten as a where() query:

// ❌ Traditional method (does not comply with security rules)
db.collection('posts').doc('postId').get()

// ✅ After refactoring (complies with security rules)
db.collection('posts').where({
_id: 'postId',
_openid: '{openid}' // Using template variables
}).get()

Best Practices

1. Rules Design Principles

  • Principle of Least Privilege: Grant only necessary permissions
  • Principle of Clarity: Rule expressions should be clear and easy to understand
  • Performance Considerations: Avoid excessive get() function calls

2. Common Patterns

Data Owner Pattern:

{
"read": "doc._openid == auth.openid",
"write": "doc._openid == auth.openid"
}

Public Read, Restricted Write:

{
"read": true,
"write": "doc.author == auth.uid"
}

State-Based Permission:

{
"read": "doc.status == 'published' || doc.author == auth.uid",
"update": "doc.author == auth.uid && doc.status != 'locked'"
}

3. Debugging Tips

  • Start with simple rules and gradually increase complexity
  • Thoroughly test various scenarios in the development environment
  • Check the permission error messages in the console
  • Properly use logging to record permission verification processes

🎯 Permission Selection Guide

Select based on business complexity

Business ScenarioRecommended SolutionReason
Simple ApplicationBasic Permission ControlSimple configuration that meets basic requirements
Complex Business LogicSecurity Rule PermissionsFlexible expressions that support complex judgments
Enterprise-level ApplicationRole Permissions + Basic PermissionsSupports organizational structure with clear permission hierarchy
High Security RequirementsSecurity Rules + Role PermissionsMulti-layered protection with fine-grained control

Permission Configuration Recommendations

  1. Start simple: Begin with basic permissions and gradually upgrade as needed
  2. Layered Design: Basic permissions handle common logic, while security rules handle specific logic
  3. Test Verification: Thoroughly test various permission scenarios in the development environment
  4. Documentation: Thoroughly document the permission design rationale and configuration instructions

Through reasonable permission configuration, you can build a secure yet flexible data access control system that meets various complex business requirements.