How to set up field-based permission in policies.json

Support Installation and Deployment
1

Hello!

Is there an example of how I can configure field-based permissions in Open-Source version of Tyk Gateway? Can I use security policies for this? Can this be done by adding some clauses to policies.json?

2

Hi @Andrey_Nado, welcome to the community.

We usually have some examples in our github repro, however, I am not sure we have for graphql. I have attached a snippet below that could be of help

Can I use security policies for this?

Yes, absolutely.

Can this be done by adding some clauses to policies.json ?

Yes, I have added a sample below. Hope it helps.

{
		"auth_type": "authToken",
		"auth_types": [
				"authToken"
		],
		"state": "active",
		"graphql_enabled": true,
		"_id": "623dcd6a01f3630001282da8",
		"id": "",
		"name": "UDG Star Wars Policy",
		"org_id": "XXX",
		"rate": 1000,
		"per": 60,
		"quota_max": -1,
		"quota_renewal_rate": -1,
		"throttle_interval": -1,
		"throttle_retry_limit": -1,
		"max_query_depth": -1,
		"access_rights": {
				"d29ed49e7f724b766fd8caa69cf9832d": {
						"api_name": "API UDG Star Wars",
						"api_id": "d29ed49e7f724b766fd8caa69cf9832d",
						"versions": [
								"Default"
						],
						"allowed_urls": [],
						"restricted_types": [
								{
										"name": "Query",
										"fields": [
												"person"
										]
								},
								{
										"name": "Person",
										"fields": [
												"name",
												"mass"
										]
								}
						],
						"limit": null,
						"field_access_rights": [
								{
										"type_name": "Query",
										"field_name": "person",
										"limits": {
												"max_query_depth": -1
										}
								}
						],
						"allowance_scope": ""
				}
		},
		"hmac_enabled": false,
		"active": true,
		"is_inactive": false,
		"tags": [],
		"key_expires_in": 86400,
		"partitions": {
				"quota": true,
				"rate_limit": true,
				"complexity": true,
				"acl": true,
				"per_api": false
		},
		"meta_data": {}
}
2 Likes
3

Thank you for the quick response!

We usually have some examples in our github repro

I checked out tyk-demo repo but it has no example of field-based permissions.

I have added a sample below.

restricted_types configuration works like a charm, great!

Unfortunately I did not manage to make field_access_rights working. The gate always returns “depth limit exceeded” error regardless of numeric value specified.

Thanks again!

4

Hey @Andrey_Nado,

the “field_access_rights” part of the policy is responsible for setting a depth limit for a query only. So if you have a schema like this:

type Query {
  getCountry(code: ID!): Country
  getContinent(code: ID!): Continent
  getLanguage(code: ID!): Language
}

type Country {
  code: ID!
  name: String!
  native: String!
  phone: String!
  continent: Continent!
}

type Continent {
  code: ID!
  name: String!
  countries: [Country!]!
}

type Language {
  code: ID!
  name: String
  native: String
}

You can do few different things with your policy.

  1. Restrict someone from seeing a whole type or just part of it. That is set in “restricted_types”. Like @Olu showed above.

  2. Set global depth limit by using “max_query_depth”

  3. Set depth limit per query. So assuming I do not want my users to go lower than depth 3 on my getContinent(code: ID!): Continent query I can use “field_access_rights” this way:

"field_access_rights": [
								{
										"type_name": "Query",
										"field_name": "getContinents",
										"limits": {
												"max_query_depth": 3
										}
								}
						]

You need to make sure that in “field_access_rights” you are referring to the query type and one of the queries you have there already.

1 Like
5

@agata-wit thank you.