Authorization / Access control


Hasura supports role-based authorization where access control is done by creating rules for each role, table and operation (insert, update, etc.). These access control rules use dynamic session variables that are passed to GraphQL engine from your authentication service with every request. Role information is inferred from the X-Hasura-Role and X-Hasura-Allowed-Roles session variables. Other session variables can be passed by your auth service as per your requirements.

For example:

Trying access control out

If you just want to see role-based access control in action, you need not set up or integrate your auth service with GraphQL Engine. You can just:

  • Define permission rules for a table for a role.
  • Use the GraphiQL interface in the console to make a request and send the session variables as request headers (send a X-Hasura-Role key, with its value as the name of the role you’ve defined rules for). The data in the response will be restricted as per your configuration.

Follow the example at access control basics.