0

I am looking for a way to put a constraint in place preventing access to data based on a site_uuid.

All the tables in my database would have a field site_uuid. Then I would ideally like to pass that site_uuid as a request header and essentially apply a where clause on every query checking the site_uuid is valid for the dataset return.

The idea is that its a shared database with multiple "sites". I understand scalability issues etc. This is not an issue in my case, the best approach is this multi-tenant approach if I can make it work.

I first hit this issue using the built-in _by_pk queries, when returning one object. I understand I can just use a where clause when returning a list of records.

Jaybeecave
  • 827
  • 2
  • 8
  • 17
  • You are looking for Hasura ACL. Check this blog post https://hasura.io/blog/authorization-rules-for-multi-tenant-system-google-cloud/ – Leonardo Alves Jul 19 '20 at 15:09
  • Have a look at these two articles: (1) https://hasura.io/docs/1.0/graphql/manual/auth/authorization/common-roles-auth-examples.html#managers-of-an-organisation-in-a-multi-tenant-app and (2) https://hasura.io/docs/1.0/graphql/manual/auth/authorization/roles-variables.html#roles-session-variables – avimoondra Jul 20 '20 at 01:26
  • Looks to be exactly what I needed, will review and post an answer when I can – Jaybeecave Jul 21 '20 at 02:23

0 Answers0