data-api-builder icon indicating copy to clipboard operation
data-api-builder copied to clipboard
verified publisher icon Azure

Enable filtering with custom roles

Open lionelschiepers opened this issue 1 year ago • 1 comments

Why make this change?

This pull request is related to issue 2115 (https://github.com/Azure/data-api-builder/issues/2115) that reports that it's not possible to filter entities anonymously accessible when the caller is using a custom role.

What is this change?

When filtering is disallowed for a custom role because the role is not defined for that entity, it is then checked for the authenticated role the custom role inherits from. Please note that when no authenticated role is defined for an entity, it is automatically defined using the definition of the anonymous role.

How was this tested?

I've tested in our live environment.

lionelschiepers avatar Mar 19 '24 15:03 lionelschiepers

Thank you for your contribution, I will take a look soon. But in the meantime, please add tests that exercise this scenario that you are fixing.

seantleonard avatar Mar 19 '24 16:03 seantleonard

@Aniruddh25 we should review this this semester.

JerryNixon avatar Sep 05 '25 20:09 JerryNixon

+1

JerryNixon avatar Oct 07 '25 20:10 JerryNixon

This behavior described is by design, not a bug.

Here’s the key:

Data API builder does not perform role inheritance. Each role must be explicitly defined per entity in the configuration.

So when you set X-MS-API-ROLE = role-a, DAB looks for an explicit role-a permission block on that entity. If it doesn’t find one, it does not automatically inherit permissions from authenticated or anonymous. That’s why the filter authorization check fails.

The apparent inconsistency—being able to read fields but not filter—comes from how GraphQL and REST differ in execution paths. In the read operation, the engine evaluates “access to entity” (which passes through because of anonymous read permissions), but filtering checks column-level permission for the active role, which is undefined for role-a. Since DAB sees role-a but can’t find corresponding metadata, it correctly blocks the filter for security reasons.

JerryNixon avatar Nov 03 '25 08:11 JerryNixon

Please note that when no authenticated role is defined for an entity, it is automatically defined using the definition of the anonymous role.

While this is true, the same rule does not apply to custom roles this authenticated and anonymous are special roles.

Aniruddh25 avatar Nov 10 '25 03:11 Aniruddh25

As discussed in the issue here: https://github.com/Azure/data-api-builder/issues/2115 this behavior is by design hence closing this PR.

But really appreciate and thank you for your deep investigation and contributions, @lionelschiepers!

Refer to this section of doc to add multiple permissions to the same entity, example: dab add Book --source dbo.Books --permissions "anonymous:read" --permissions "authenticated:create,read,update,delete" https://learn.microsoft.com/en-us/azure/data-api-builder/command-line/dab-add#--permissions

Aniruddh25 avatar Nov 10 '25 03:11 Aniruddh25