Permissions

The content on this page describes the "legacy" permissions system within Fauna. Instead, you should use Attribute-based access control (ABAC), which provides far greater control over the groups of users that should have access and the kinds of access that they should receive.

Fauna has a built-in permissions system that allows for fine-grained control over access to data.

Access is controlled by a resource’s permissions object. The identity of a request’s key is checked against the value of the permission field corresponding to the resource and action being taken.

Permission fields

Permission fields may be set to one of the following values:

Value Access Allowed

empty

Only admin or server keys are allowed.

public

Any key is allowed.

Client keys and roles, and public permissions are deprecated as of the 2.12.0 release. You should use the Attribute-based access control (ABAC) system instead,

See Deprecations for more details.

document ref

Only tokens belonging to the specified document are allowed.

collection ref

Only tokens belonging to documents in the specified collection are allowed.

Beginning with Fauna 2.11.0, the Fauna access control logic has been changed to use attribute-based access control (ABAC) roles, or the key-based permission system, but never both.

If a resource is a member of an ABAC role, the ABAC role specifies all privileges for that resource. Otherwise, the key-based permission system determines whether read/write/execute privileges are enabled.

For example, when an ABAC role includes a user-defined function as a member, that function cannot be called unless the ABAC privileges permit the call action.

Collection permissions

Creating, reading, and modifying a document in a collection is controlled by the collection’s permissions. Applicable fields on a collection are:

Permission field Action allowed

create

Permits creating a document in the collection.

read

Permits reading documents in the collection.

write

Permits writing to documents in the collection.

A document also has permissions, which are applied in addition to permissions defined on its collection. The permissions on a document may contain these fields:

Permission field Action allowed

read

Permits reading this document.

write

Permits writing to this document.

User-defined function permissions

Calling a function is controlled by its permissions. Applicable fields are:

Permission field Action allowed

call

Permits calling the function.

Index permissions

Query access to an index is controlled by its permissions. Applicable fields are:

Permission field Action allowed

read

Permits querying the index.

Is this article helpful? 

Tell Fauna how the article can be improved:
Visit Fauna's forums or email docs@fauna.com

Thank you for your feedback!