Where to paste Realm permissions?

MongoDB Atlas App Services & Realm
1

In this tutorial, it says to paste the following permissions:

{
  "rules": {},
  "defaultRoles": [
    {
      "name": "owner-read-write",
      "applyWhen": {},
      "read": {
        "ownerId": "%%user.id"
      },
      "write": {
        "ownerId": "%%user.id"
      }
    }
  ]
}

I selected the option to create a new database, but it isn’t created yet.

image
image1338×248 22.2 KB

image
image798×550 19.1 KB

To clarify, when creating a (default) role, does it apply to all collections? (If a document doesn’t have ownerId, the rule is simply ignored?)

With the new UI, do I just need to check the boxes for “Document Permissions” and add "ownerId": "%%user.id"?

image
image798×550 34.4 KB

2

Hi, I just filed a ticket to update the docs to remove that section and make it clearer since we recently changes where permissions are viewed and edited.

Permissions should be defined in the rules tab. See here for a good overview: https://www.mongodb.com/docs/atlas/app-services/sync/app-builder/device-sync-permissions-guide/

Default rules apply to any collection that does not have a specific collection rule defined. And for sync, document filters are indeed required.

Best,
Tyler

1 Like
3

I didn’t find an explanation for Document Permissions (Insert, Delete, Search). (My guess is that Insert is for adding new items to a list and Delete is to prevent some users from deleting a document. I don’t know how Search can be disallowed when queries are performed locally (?).)

Can I conditionally give Delete permissions? For example, I want to let collaborators edit a document, but not delete it.

"write": {
      "$or": [
        {
          "owner_id": "%%user.id"
        },
        {
          "collaborators": "%%user.id"
        }
      ]
    }

Also, can "apply_when": { "owner_id": "%%user.id"} be used instead of document filters? (That way I can apply different rules when a user is the owner or a collaborator) It should be equivalent, but maybe it is less efficient with Flexible Sync.

4

Hi. Yes, you can conditionally give delete permissions. Please see this flow chart which should explain how permissions are valuated: https://www.mongodb.com/docs/atlas/app-services/rules/roles/#write-permissions-flowchart

Unfortunately, permissions can be a touch confusing given how open and expressive they try to be.

In your case, you would want to give collaborators “write” access but not “delete” access.

Best,
Tyler

1 Like
5

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.