Skip to main content

Create Policy and Roles for TODO App

To enable user sign-ups, roles, role classes, and policies must be configured.

Creating the "users" Role Class

A role class named "users" must be created using Devii's Role Management feature, accessible from the left-side menu. For detailed instructions, refer to the Role Management docs.

  1. Create a new role class named "users".
  2. Once saved, locate the Class ID on the Role Management page.
  3. Copy the Class ID and paste it into the sign_up function in your app.py file.

Class ID

This ensures that every new user is assigned to the "users" role class. Policies will then be created to allow users to manage their lists and items. Note that the root role bypasses all roles and policies, granting full access to manage users, lists, and items.

Nobody Role to Add Users

The "nobody" role is required for the app to create new roles. Follow the instructions here to create this role. Expand "Show Example Queries" to find the appropriate GraphQL queries, which can be executed in graphiQL, Postman, or Altair.

Once the query runs successfully, the "nobody" role will be created. Next, define a policy rule allowing the "nobody" role to create new roles:

  1. Navigate to Policy Rules in the left-side menu (detailed guide here).
  2. Click "+" to create a new rule.
  3. Set a description (e.g., "Nobody Role Can Create Users").
  4. Under Roles, select the "nobody" role (at this point, only "root" and "nobody" should exist).
  5. Under Operations, add "create_role" and "insert".
  6. Under Targets, add "public.devii_users" and "roles_pbac.roles".
  7. Click SAVE.

Policy for "Users"

Since Devii enforces a deny-by-default policy, any users created before configuring this policy will have no access. We will create two policy rules governing lists and items:

  • First Rule:

    • Description: Users can CRUD own list
    • Role Classes: 'users'
    • Operations: delete, download, insert, select, update, upload
    • Targets: public.list
    • Filter Expression: devii_roleid = $_PRINCIPAL.roleid

  • Second Rule:

    • Description: Users can CRUD own items
    • Role Classes: 'users'
    • Operations: delete, download, insert, select, update, upload
    • Targets: public.items
    • Filter Expression: devii_roleid = $_PRINCIPAL.roleid

Global Policy for Status

Finally, create a global policy allowing anyone to view records in the status_values table:

  • Description: Anyone can see status values and ids
  • Logic: click on 'Global', it will become green to indicate it is active
  • Operations: select
  • Targets: public.status_values