Implementing Access Control via Hasura Permissions

[kaizerc]

Hi, I am currently exploring implementing permissions through Hasura. What are best practices to implement permission and also any limitations in implementing the same? Do the permissions inherited on views as well?

To provide context, I have created roles that can only access data if that role has access to that row.

Any article/blog that provides implementation examples?

[adas98012]

Here is the list to the docs on authorization:

https://hasura.io/docs/latest/auth/authorization/index/

[meetzaveri]

Hello,

Thanks for asking. You can visit this blog by hasura on authorization with examples - https://hasura.io/blog/hasura-authorization-system-through-examples/

As it goes, the basic setup for authorization is to have a base auth webhook through which all your API calls would be traversed.

1. Configure auth webhook
   This auth webhook will act as a middleware between your client and Hasura. It will not be exposed to public and hence you can create your auth business logic in that webhook. For more - https://hasura.io/docs/latest/auth/authentication/webhook/

In order to make auth webhook work, you'll need to avoid passing x-hasura-admin-secret (admin secret env var ) directly from your client. After then you'll need to pass your webhook link to HASURA_GRAPHQL_AUTH_HOOK by setting up webhook config mode (refer this - https://hasura.io/docs/latest/auth/authentication/webhook/#configuring-webhook-mode)

2. Creating Permissions
   So as @adas98012 suggested, you can follow this docs for better understanding - https://hasura.io/docs/latest/auth/authorization/basics/ . Whether you are looking to apply permissions on row level or at column level, those docs cover what you need.