Apigee API BaaS provides a NoSQL data store with fast access that's great for web and mobile applications, and ideal as a data store behind Apigee Edge proxies. If at runtime your application logic creates new data store entities that must be protected with access control, you can set up permissions for new entities with API BaaS APIs.

This article describes one way to update backend permissions at runtime using JavaScript in a Node.js module. You can include the module in an Apigee Edge proxy that communicates with the data store.

Note: This article is one in a series that uses the StreetCarts sample application to illustrate implementing authentication and authorization where Apigee Edge and Apigee API BaaS are combined in a single application. The series includes Authentication and authorization with Apigee Edge and API BaaS, Registering and authenticating new users with Edge and API BaaS, and Implementing authorization across Edge and API BaaS. By @Floyd Jones, @Steve Traut, @wwitman.

Updating permissions at runtime

You can use API BaaS APIs to set up permissions at run time. Using JavaScript from a Node.js module, you can make requests that create API BaaS user groups, roles, and permissions, assign roles to groups, and add users to groups.

When you make these kinds of requests, because the ability to change permissions settings can also be used to do damage to your app, you might want to make the request using credentials that aren't available to the application's users.

In StreetCarts, for example, each time an owner user adds a food cart, the app defines new permissions specific to that food cart. Only that food cart's owners and managers should be able to make changes to the cart, its menus, and its food items.

To create these permissions settings, the StreetCarts data-manager proxy authenticates with API BaaS application client credentials -- client ID and secret that give the proxy full access to everything in the API BaaS data store. (In your API BaaS organization, you'll find your client ID and secret on the admin console's overview page.)

Because it's powerful, the application client auth level is intended for only server-to-server access such as access from Edge. At runtime, StreetCarts looks for the credentials in the Edge secure store (also known as the vault) where they are not available to users. The credentials are put there as part of StreetCarts configuration.

Here's how it works when a user creates a new food cart:

1. A user authenticates and receives an access token.
2. The user's client app passes the access token in a request to create a food cart via the foodcarts proxy.
3. The request is forwarded to the data-manager proxy for updating the data store.
4. The data-manager proxy extracts the access token that was generated by API BaaS and sends it via the addNewCart function in data-manager.js to create a new foodcart entity in the data store.
5. After creating a new foodcart entity in the data store, the addNewCart function calls a series of functions to provide security for the new cart.
   • createCartOwnerUserGroup to create an owners user group specifically for the the new food cart
   • secureCartOwnerUserGroup to create roles (through functions such as createCartManagerRole ) for the new cart, then assign the new roles to the owners user group
   • createMenuManagerUserGroup to create a user group for people who can manage menus and food items, but not the cart itself.
   • secureMenuManagerUserGroup to create and apply manager roles for the managers group.
   • addUserToGroup to add the user creating the food cart to the owners and managers groups.
6. Each of these functions calls getDataStoreClientToken to retrieve two values from the streetcarts vault created in Edge when StreetCarts was set up:
   • datastore-client-id, which holds the API BaaS client ID value.
   • datastore-client-secret, which holds the API BaaS client secret value.
7. With the client ID and client secret, each function authenticates with API BaaS as an application client, giving it full access to the data store.
8. Once authenticated, functions can create user groups, roles, and permissions.