Symbol Permissions

Because Black Magic Data provides an assortment of ways a Magic Data expression could damage the database or files of your site, it also includes a comprehensive system of Symbol Permission Sets.

You can define and edit permission sets through the site dashboard at Dashboard > Magic Data > Symbol Permissions. Then you can select which permission set to apply to the site on the settings page at Dashboard > Magic Data > Symbol Settings.

50 bmd symbol permissions.png

30 bmd settings.png

A default set of permissions enables all symbols. The Add/Edit dialog can be used to add further sets of symbol permissions with rules that exclude or include symbols by package, by individual symbol, or by snippet.

60 bmd symbol permissions.png

The starting point of any set of permissions is 'Include All'. You don't need to add that rule, you can take it for granted. It is only shown in the above screenshot for information.

When a symbol is evaluated, each rule is applied in turn to confirm is the symbol is available or not. So you could say 'Exclude everything in Black Magic Data', but keep 'LIST_ALL_SERVERS' and exclude use of the snippet 'All Super Admin'. 

Within a site, these complexities are not that important. Where multiple sets of symbol permissions with tightly controlled subsets of the Magic Data symbols become more useful is with the Black Magic Data API. Each API client can be assigned a permission set appropriate to what the client site needs to do.

The above example starts a permission set with all symbols included (the default), then excludes and includes after that.

A more restrictive approach would be to begin by excluding All symbols, then carefully adding symbols that are needed. 

A Magic Data Snippet always executes with the permission set of the site it is hosted on. So you could even pre-script what a client site can do into a series of snippets, then create a permission set that only allows enough so the client can evaluate those snippets through the API. With this approach you can create powerful interfaces as snippets, but prevent a client site from going outside those interfaces.

 

Last updated: over a year ago