Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do the CloudKit security roles and permissions work?

Tags:

security

permissions

cloudkit

security-roles

There are three default security roles in CloudKit:

  • World
  • Authenticated
  • Creator

And three permissions:

  • Create
  • Read
  • Write

How do these security roles and permissions work?

Here are examples of some of the questions I would hope get answered by an explanation of security roles:

  • What do the three roles mean? The first two seem obvious, but the last one seems less so. E.g. does Creator refer to the creator of the table, or the creator of a record?
  • Where would the deletion permission fall under? Write?
  • Can security roles be applied to individual records? (E.g. I want a user to have access to only a subset of the records in the InstantMessages table: the ones they send, and the ones they receive. Can something of this nature be done via security roles?)
  • Are permissions inherited? (E.g. Does the creator get all permissions granted from creator, authenticated, and world?)
  • Are permissions purely additive? Or can I create a custom role that will remove privileges rather than add them? (E.g. in order to create a "Banned User" security role.)
  • How do I set the role on a user? Can I set a default role for every user that is created? Can I change a user's role programmatically?
  • How do I create new security roles? Can I create/update them programmatically?
like image 878
Senseful Avatar asked Jul 12 '15 15:07

Senseful

People also ask

Is CloudKit secure?

Every piece of information stored within CloudKit is encrypted with Apple's private keys, and we don't have access to users credentials or any sensitive data.

What is CloudKit framework in iOS?

Overview. The CloudKit framework provides interfaces for moving data between your app and your iCloud containers. You use CloudKit to store your app's existing data in the cloud so that the user can access it on multiple devices. You can also store data in a public area where all users can access it.

Is CloudKit end to end encrypted?

Any journal with a shield icon is end-to-end encrypted. Tap any journal and then tap Advanced for the encryption setting. As of version 4.2, encryption is enabled by default and a private key is generated automatically. It is stored securely in CloudKit.

1 Answers

1) How do these security roles and permissions work? You set them on the dashboard in the Development environment.

2) What do the three roles mean? The first two seem obvious, but the last one seems less so. E.g. does Creator refer to the creator of the table, or the creator of a record? - Creator of the record (and that means all devices that access CloudKit with the same iCloud Account)

3) Where would the deletion permission fall under? Write? YES

4) Can security roles be applied to individual records? NO

5) (E.g. I want a user to have access to only a subset of the records in the InstantMessages table: the ones they send, and the ones they receive. Can something of this nature be done via security roles?) What does 'access' mean? A user can only read things that your app allows them to read and that they have read permission. A user can only create or write (and delete) records that your app lets them create or modify (and delete) and that they have create or write permission - it takes both.

6) Are permissions inherited? (E.g. Does the creator get all permissions granted from creator, authenticated, and world?) Roles are subsets of the other - a creator is a subset of authenticated. authenticated is a subset of world.

7) Are permissions....programmatically? Permissions go to the broad class "creator" "authenticated" "world" so you can't set permission user-by-user (except that the user who creates a record is the only creator).

But key to all of this is to remember that it takes your apps code to grant create/read/write to a record AND the particular user must have that permission. So you can do anything you want in code to allow anyone to do anything - provided you granted "Authenticated" the right to "write"

like image 183
Peter B. Kramer Avatar answered Oct 26 '22 14:10

Peter B. Kramer
Sign in to Comment

Related questions

Is python-markdown safe on untrusted input?
What information is stored by iOS Spell Checker?
Is there any advantage to re-hashing stored passwords at login time?
Multiple permissions in view_config decorator?
Why change user type to SQL user with login is disabled in SSMS?
Google Cloud Function connection to Google Compute Engine via internal IP
For which Content-Types should I set security related HTTP response headers?
Keeping a secret key secret with Amazon Web Services
Sandboxed operating system
Monitoring ASP.NET and SQL Server for Security
Examples of XSS vulnerabilities that get by ASP.NET 4 <%: %> or Razor encoding but are caught by AntiXSS
Does Windows Azure have anything readily available against denial of service attacks?
Socket.io Security Issues
How to securely store database password in Python? [closed]
Generating and securing gift card codes
Keycloak Customization to run custom java in authentication flow
Coding strategy for securing sensitive data
How safe is "the future of browser gaming"?
Bookmarklet security considerations, CSRF, hashed key
Copy files from one user home directory to another user home directory in Linux

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!