Grafbase now supports owner-based authorization!
You can now build rich and secure multi-tenant applications whereby data belongs to those who created it using the new authorization rule — owner
.
The owner
rule works with your configured auth provider so you can continue to build with Grafbase and use your own user management platform to control the access of data.
Grafbase will check for the presence of sub
in the request. If a sub
is present and owner rules are configured, they will be applied.
If sub
is present but no owner rules are configured, group-based rules will be applied.
Here's how easy it is to configure your backend to only allow authorized users access to their data:
schema
@auth(
providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
rules: [{ allow: owner }]
) {
query: Query
}
It's also just as easy to integrate signed-in and group-based auth with owner-based thanks to the inherited rules.
The rules below allow any signed-in user to read
data, but only the owner can create
or update
. Users in the group admin
can do every operation:
schema
@auth(
providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
rules: [
{ allow: private, operations: [read] }
{ allow: groups, groups: ["admin"] } # Full access
{ allow: owner, operations: [create, update] } # read, create, update
]
) {
query: Query
}
We'd love to hear your feedback and ideas, so join us on Discord.