Required Permissions for API Calls

Permissions are granted to the FTL client's user name and/or roles. To set user and role permissions from the FTL user interface, see Configuring Permissions.

When an application interacts with a persistence store or cluster, FTL determines if that interaction is allowed, based on the permissions granted to the FTL client's user name and/or roles. Mostly commonly this interaction results from an API call, but all interactions are regulated regardless of the source.

Interactions involving locks are regulated by permissions set at the persistence cluster level.

Interactions involving publishers, subscribers, maps, and stored data are regulated by permissions set at the persistence store level.

FTL server logs all authorization failures at the loglevel acl:verbose.

Where possible, if an FTL client is not authorized to take a certain action, the API call will fail immediately regardless of any retry duration.

The following table shows the required permissions for various API calls.

Note: Only the C APIs are listed, but the same holds true for all client APIs.

Permissions for API Calls
Operation	FTL API	FTL Permission
acquire lock	Implicit via map calls `WithLock`	lock
return lock	`tibLock_Return` `tibLock_Destroy`	lock
close map	`tibMap_Close`	map
create map	`tibRealm_CreateMap`	map
delete map	`tibRealm_RemoveMap`	map
map get	`tibMap_Get` `tibMap_GetMultiple`	map
map get size	`tibMap_GetSize`	map
map iterate	`tibMap_CreateIterator` `tibMapIterator_Next`	map
map remove	`tibMap_Remove`	map
map remove all	`tibMap_RemoveAll`	map
map set	`tibMap_Set` `tibMap_SetMultiple`	map
close publisher	`tibPublisher_Close`	publish
create publisher	`tibPublisher_Create`	publish
publish	`tibPublisher_Send` `tibPublisher_SendToInbox` `tibPublisher_SendMessages`	publish
send reply	`tibPublisher_SendReply`	publish
send request	`tibPublisher_SendRequest` Note: Sending the request requires the publish permission on the endpoint's store. Receiving the reply requires the subscribe permission on the reply endpoint's store (which could be a different store)	publish AND subscribe
acknowledge	`tibEventQueue_Dispatch` (auto) `tibMessage_Acknowledge` (explicit) `tibSubscriber_AcknowledgeMessages` (explicit)	subscribe
close subscriber	`tibSubscriber_Close`	subscribe
durable create	Implicit via `tibSubscriber_Create`	subscribe
dynamic durable destroy	`tibRealm_Unsubscribe` `tibRealm_UnsubscribeEx`	subscribe
start subscriber	`tibEventQueue_AddSubscriber`	subscribe
stop subscriber	`tibEventQueue_RemoveSubscriber`	subscribe
subscribe	`tibSubscriber_Create` `tibSubscriber_CreateOnInbox`	subscribe

Did you find this helpful?

Yes No