How do i restrict each user to only seeing their own data

[csennitt]

Can Hasura handle each user only being able to see only the set of data they enter ?
I have a Practice table with an id,
a customer table with id and also practice id ( from above )
a visit table with customer id ( from above )
when a practice person logs in ( with JWT token ) how can do I ensure they can only see their own customers, visits and another other related data ( notes etc ).
I do not want practice id=2, too be able to see data from practice id=1 related data.
so practice id=1 has related multiple customers, each customer has multiple visits. It is important that none of the customers and related visits/notes "owned" by practice 1 are accessible by practice 2.
do i need to add "practice_id" to each table and filter on them ( somehow ) ?

[meetzaveri]

Hello @csennitt

In Hasura, you can use the built-in "role" feature to restrict access to certain rows of data based on the user's role. To restrict a user to only see the data they have entered, you would create a new role for that user, and then define a rule that only allows them to access rows where a certain column (e.g. "customer_id") matches their user ID.

Here is an example of how you might set this up:

• Create a new role in the Hasura console, and call it "user".
• Define a rule for the "user" role that only allows access to rows where the "customer_id" column matches the user's ID.
  Assign the user role to the user.
• You would then need to ensure that the "customer_id" column is populated with the user's ID when they create a new piece of data, so that Hasura can enforce the access control rule.

Respectively, in permissions for that table, under select action, you can create a custom check where customer_id equals to (_eq) value of X-Hasura-User-Id. Here, X-Hasura-User-Id is a session variable where you pass user's id. Example mentioned here in docs - https://hasura.io/docs/latest/auth/authorization/permission-rules/#using-session-variables . In this example, it uses id but you can replace it with customer_id

[csennitt]

thanks for the quick reply - I got that from the docs. I need to write a system with ( hopefully ) hundreds of users, the above would mean creating a "role" for each of them. does not sound like a good way to move forward. Also, on single tables I can see a way to use JWT, but how do I handle related data ( each related piece of data is "owned" by the practice ( the person logged in ). Would I need to "copy" the practice id to each table ? I think that creates a transitive dependency ( I try to avoid them in DB design ).

[meetzaveri]

Instead of copying "practice_id", you can add a column like created_by which contains user id who should be responsible for creating/inserting that row.

So several tables would contain created_by field, and you can use it to map relationships

[csennitt]

great answer = now, is this still "role" based ? Can I create a new "role" for each user that signs up for the system automatically ? or will I have to manually do this ( somehow ) ?

[meetzaveri]

Ideally, role in authorization layer is something which shouldn't be automated. It needs to be defined by us manually as a system designer as we shape our product's security on the road.

Also, there's no way we can create roles with some API/automation in Hasura. So, you will need to do it manually.

[meetzaveri]

Also, check this section in docs - https://hasura.io/docs/latest/auth/authorization/roles-variables/#modeling-roles-in-hasura