Security Concepts
Built-in roles
In addition to creating custom roles, you can grant permissions to three special built-in roles:
- Anonymous user
- Authenticated user
- Owner
Anonymous user
Any request made by a user that has not authenticated (link to JWT token) will be considered a member of the built-in role “Anonymous user”. Take care when granting permissions to this role, especially for the methods that can alter data like POST, PUT, PATCH and DELETE.
TIP: If you require anonymous users to submit data you could consider using the ReCaptcha-feature to reduce the chance of submissions being made by bots.
Authenticated user
Any request made by a user that is authenticated (regardless of membership status in any custom roles) will be considered a member of the built-in role “Authenticated user”.
Owner
Authenticated users will be a member of the built-in role “Owner” when accessing items that were created by themselves. This can be a practical way to enable update and/or delete operations for items that the user has created, with limiting other users to read-only or no access.