3. GraphQL and Data Confidentiality (CRUD)
When making query or mutation to GraphQL REST API all access rights are checked based on the profile used.
The access rights are defined, in this order, at several level:
1. License level
2. Option level
3. Profile level
4. Workflow level
5. Data Reading or Writing access rules (graph or macro)
Each time you make a query or a mutation, HOPEX checks that you are allowed to perform this action:
• For a query: it checks the "Read" access rights (R).
• For a mutation: it checks the "Write" access rights (CRUD).
o Create when creating an object
o Update when trying to update an existing object
o Delete when trying to delete an existing object
3.1. Query
In a query, if you are not allowed to view the requested information you will get:
• a null value for a field (MetaAttribute)
• an empty array for a relationship (MetaAssociation)
3.2. Mutation
In a mutation, if you are not allowed to create/update/delete the requested object or its fields you will get:
• an error on each field you are not allowed to edit, with a message: "You are not allowed to perform this action..."
3.3. Managing permission
You should ensure that the profile you use when querying the application is properly configured with the CRUD.