Security Rules
Introduction
Security rules are a more advanced, flexible, and scalable access control method built upon basic permission control, designed to protect users' cloud data.
Basic Permission Control is a predefined permission group based on the most fundamental and common scenarios in the development process, enabling simple permission management. However, as application business scenarios grow increasingly complex, the original control method cannot support requirements like role-based or login-mode-based control. Implementing such needs under Basic Permission Control requires moving all client-side operations to cloud functions, where validation and judgment logic run to achieve access control. But under security rules, developers can customize control conditions, complete permission configuration through rule statements, and the system performs access control based on these rules, even conducting data validation.
Security rules use an extensible, JSON-based configuration language to define which data users can access in the database and storage. Developers can write simple or complex rules based on the application's required granularity level to protect the data in the application.
Advantages and Features
- Flexibility. Developers can customize rules based on their business characteristics, and the rules support restricting data accessibility based on the application data itself.
- Granularity. Rules can be configured based on requirements, ranging from simple to complex.
- Security Independence. Rules are configured on the management side, independent of the application's business logic. Clients cannot access the rules nor bypass rule validation, ensuring all access to application data is authenticated.
- Convenience. Permission control can be achieved by configuring rules, eliminating the need for developing and deploying access-layer control, and enabling rapid validation.
How It Works
Security rules work in the following way: When accessing data, the system reads the complete rule configuration JSON set on the management side, where key
represents the operation type. The system retrieves the configuration value based on the operation type, which may be a boolean
or an expression string. The expression string is a logical expression with Javascript-like syntax. When the boolean
or expression evaluates to true
, access is allowed; otherwise, access is denied. Subsequent operations are only performed when access is permitted. The basic rule configuration format is as follows:
{
// Allows access to data when the configuration value is true or the conditional expression evaluates to true.
"read": false,
"write": <<condition>>
}
Within expressions, built-in variables can be used to obtain the request's identity and metadata information for complex logical judgments. For details, refer to the rule language.
Billing
Security rules themselves do not incur any fees. However, using metadata variables (doc, resource) or fetch functions (get) in rules will generate read operations on the corresponding resources, consuming resource usage.
Limitations
- Each expression (or group of expressions) in the security rule configuration has a maximum length limit of 1024 characters.
- Expressions support variables (regular expressions not supported), array expressions (array elements limited to numbers or strings), logical expressions (&&, ||), unary expressions (+1, -1, !a), binary expressions (>, >=, <, <=, ==, !=, in), member expressions (a.b, a["b"]), call expressions (supported only in cloud database security rules), and string template expressions (used for dynamic parameters in cloud database function calls, e.g., `database.collection.\${doc.objectId}`).