Groups

If a user has not assigned group in a database, the default group “*” is taken. The wildcard “*” represents all the groups that are not defined in this configuration. By default, such a group has no access to the database in read and write. Below you can find the default configuration for the default group “*”.

{ "*": {
  "types": {"*": {"access": []}},
  "access": [],
  "readTimeout": -1,
  "resultSetLimit": -1
} }

Where:

  • types is the map of type and access level. The wildcard “*” represents all the types that are not defined in this configuration.

  • access is the array containing the allowed permissions for the group. The supported permission at group level are:

    • updateSecurity: to update the security settings (create, modify and delete users, groups, etc.)

    • updateSchema: to update the database schema (create, modify and drop buckets, types and indexes)

  • readTimeout if present, specify the maximum timeout for read operations. -1 means no limits. If set, all the read operations (lookups and queries) will be limited to maximum <readTimeout> milliseconds. This is useful to limit users to execute expensive commands and queries impacting the performance of the server and therefore other connected users.

  • resultSetLimit if present, specify the maximum number of entries in the result set returning from a command or query. -1 means no limits. If set, any query or command will be interrupted when this limit is reached. This is useful to limit users to retrieve huge result sets impacting the performance of the server and therefore other connected users.

You can profile the access of each group up to the type level.

  • createRecord, allows creating new records

  • readRecord, allows reading records

  • updateRecord, allows updating records

  • deleteRecord, allows deleting records

creating an edge is technically 2 operations: (1) create a new edge record and (2) update the vertices with the reference. For this reason, if you want to allow a user to create edges, you have to grant the createRecord permission on the edge type and updateRecord on the vertex type.

Example of the definition of the group for a Blog writer, where he can only read from the "Blog" type and have full access to the "Post" type:

{
  "types": {
    "*": {
      "access": []
    },
    "Blog": {
      "access": [
        "readRecord"
      ]
    },
    "Post": {
      "access": [
        "createRecord",
        "readRecord",
        "updateRecord",
        "deleteRecord"
      ]
    }
  }
}

The default settings for the admin group are:

{
  "access": [
    "updateSecurity",
    "updateSchema"
  ],
  "resultSetLimit": -1,
  "readTimeout": -1,
  "types": {
    "*": {
      "access": [
        "createRecord",
        "readRecord",
        "updateRecord",
        "deleteRecord"
      ]
    }
  }
}

Which allows to execute any operation against the security, the schema and records.

Here is an example for an append-only group:

"appendonly": {
  "access": [],
  "resultSetLimit": -1,
  "readTimeout": -1,
  "types": {
    "*": {
      "access": [
        "createRecord",
        "readRecord"
      ]
    }
  }
}

Which allows the group members to read and create, but not to update or delete records. Such a group can be useful for ledgers, block chains, or data provenance.

You can use any JSON editor to edit the file config/server-groups.json. It’s recommended to keep a copy of the current file before editing the groups. In this way if there are any errors, it’s easy to restore the previous file.