Skip to main content

Applying object level security

Object security rules define the conditions to allow or restrict certain operations on your app data. When the security rule expression evaluates to true or if the expression is left empty, the requested action on your app data object will be allowed. You can define object level security rules for the following data entities in your app.

  • Permanent models
  • Cloud storage buckets and files
  • Redis cache keys

Whenever a user tries to perform a CRUD operation on these entities, if an object level security rule is defined, this rule is executed. Depending on the evaluation result, the requested CRUD operation is allowed or disallowed.

To define object level security rules, you need to navigate to App settings and click/tap on Object level security. In below example we define object level security rules for users model and cloud storage files, enforcing that users need to be signed in and have a valid session and only users can update or delete their own user information (e.g., they cannot update or delete other user data) and delete only the files that are uploaded by themselves.