- The Structr Knowledge Graph
- About Structr
- Getting Started
- Installation and Setup
- Working with Structr
- Advanced Topics
Structr provides graph-based permission resolution to control access rights for non-admin users based on a domain security model. By setting rules for how access rights are propagated over relationships in the graph, the effective access permissions can be controlled.
In the above example, the schema is configured in such a way that users with the
maintains relationship to a
ProductGroup will have access to any
Product object in the group they maintain, but not to the subgroups of the given group.
Schema relationships that are configured to allow domain permission resolution are called active relationships. Active relationships are displayed in a different color than normal relationships in the schema editor.
When a non-admin user accesses a private object (e.g. a
Product node from the above example schema), Structr tries to find a path which ADDs the requested right or KEEPs the requested right from a node the user has the specific right on.
In detail: We assume that a user who has read access to a
ProductGroup tries to access a
Product contained in that group (for which the user does not have direct rights).
Structr will then traverse the active relationship(s) until a path is found which ADDs or KEEPs the requested right.
Successful path evaluation
ProductGroup-[:contains]->Productrelationship is configured to keep
- The effective permissions at the end of the evaluation process are
Unsuccessful path evaluation
Let’s assume a user wants to access a product that is not contained in the product group he/she has access to, but in a subgroup of the given group. In this case, Structr will not be able to find a connected path of active relationships and will fail the permission resolution.
Properties in the Hidden Properties input field are removed from the JSON output of an entity accessed over a permission resolution path. If you for example want to remove the properties
value from the JSON output of the
Product entity in the above example, the hidden properties input field should contain