Hello All, I am creating a collection say 'orders' in BaaS. The goal is to create a User who has only GET permission and should not be able to create / update the collection. Here are the steps:
1. Created a New App in Baas.
2. Created a new collection Orders.
3. Created a Role-1 with Read Only permissions (only GET)
4. Created a User-1 and assign Role-1 to it.
I generate a token using grant_type = password and successfully gets a token back.
Using this token I fire a GET on postman and successfully gets the orders.
However, when I try to to POST the data, the Baas still allows me to create new Order (even though the User-1 as only GET permission)
Is there any step I am missing here ?
Thanks
Syd
Are you certain that your permissions are set as you describe?
And are you certain that you are using the same token in each case?
To check the roles & permissions in BaaS, you can visit
https://appservices.apigee.com/#!/roles
Can you show us what you see there? I want to see all the roles defined, and then for the User-1, I want to see all roles attached to that user.
Alternatively, invoke the API to request those permissions, like this:
curl -i https://apibaas-trial.apigee.net/ORGNAME/APPNAME/roles/ROLE/permissions
I want to see that output for each role in the app. And then also:
curl -i https://apibaas-trial.apigee.net/ORGNAME/APPNAME/users/User-1/roles
You will need to provide appropriate authentication credentials there , for those queries. You can use the app credentials. That means you must append query params client_id and client_secret to that url.
curl -i https://apibaas-trial.apigee.net/ORGNAME/APPNAME/users/User-1/roles?client_id=foobar\&client_secret=bahBlag
Answer by Nkcubeko Jamela · Nov 02, 2017 at 09:49 AM
@Syd
On your BaaS under role section as shown on the picture 1.png, remove all the default role and be left with the role you created and set your permission path to /* or any wild card of you choice
.
Under the user section, select your user then under Groups,Roles and permissions select role and select your role eg. 2.png. It should be able to get only
Answer by Sid · Nov 02, 2017 at 01:58 PM
Hello @Dino & @Nkcubeko Jamela : Thanks for your looking into it. I started fresh & followed the steps you guys mentioned. Its working as expected. However I am not sure what I was doing wrong earlier. Probably some oversight on my end. Attaching my steps as screenshots in the zip which I executed today and it worked just fine :-) Kindly review if you get a chance.
Thanks Again
Syd
steps1-6.zip
I observed that if I delete 'guest' , 'default' roles then it works, else it does not.
Can we update the permissions in BaaS? 2 Answers
Is there a BaaS API way to add an array of permissions to a role with one call? 0 Answers
Can't create connected entities / connect entities after creation (unauthorized error) 1 Answer
Deleting the BAAS default role permissions has broken BaaS account 0 Answers