Grafbase now supports owner-based authorization!
You can now build rich and secure multi-tenant applications whereby data belongs to those who created it using the new authorization rule — owner.
The owner rule works with your configured auth provider so you can continue to build with Grafbase and use your own user management platform to control the access of data.
Grafbase will check for the presence of sub in the request. If a sub is present and owner rules are configured, they will be applied.
If sub is present but no owner rules are configured, group-based rules will be applied.
Here's how easy it is to configure your backend to only allow authorized users access to their data:
schema
@auth(
providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
rules: [{ allow: owner }]
) {
query: Query
}
It's also just as easy to integrate signed-in and group-based auth with owner-based thanks to the inherited rules.
The rules below allow any signed-in user to read data, but only the owner can create or update. Users in the group admin can do every operation:
schema
@auth(
providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
rules: [
{ allow: private, operations: [read] }
{ allow: groups, groups: ["admin"] } # Full access
{ allow: owner, operations: [create, update] } # read, create, update
]
) {
query: Query
}
We'd love to hear your feedback and ideas, so join us on Discord.