The admin role can skip all the access layer with admin secret, why i can not disable it when using HASURA_GRAPHQL_JWT_SECRET #7337
-
|
Seams like if someone get the admin secret he can pass all the access layer without any restrictions. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
If you are running without any admin secret, the Hasura Console will not have any restrictions. Anybody can access the console and the GraphQL endpoint, which is not desired.
If you are on Hasura Cloud, you can add collaborators to your project with restricted permissions which doesn't expose the admin secret to other users. Apart from this, I hope you are aware of the role based permission system to create new roles and restrict data access on a row/column level. |
Beta Was this translation helpful? Give feedback.
@perelman
If you are running without any admin secret, the Hasura Console will not have any restrictions. Anybody can access the console and the GraphQL endpoint, which is not desired.
If you are on Hasura Cloud, you can add collaborators to your project with restricted permissions which doesn't expose the admin secret to other users. Apart from this, I hope you are aware of the role based permission system to create new roles and restrict data access on a row/column level.