Access Restrictions

Hi Datomic Folks,

How are people implementing access / security models in your Datomic apps? I’m working on a project and we’re looking into best practices around securing access to parts of our data according to domain (e.g. “users shouldn’t be able to update others users data unless they are admin role”). We chose to expose transact capabilities to our frontend to keep things flexible as opposed to wrapping things with REST style routing.

I’m wondering if people on the forum have had good experiences using filter, reified transactions, or other approaches to restrict data access without falling back to more traditional architectures. Is there a with-the-grain approach with Datomic?

Thanks!

Are you using Datomic Cloud or Datomic On-Prem?

In the latter case, I would definitely lean toward filters as a mechanism for modeling access control. A simple example can be found here: https://github.com/Datomic/day-of-datomic/blob/master/tutorial/filter.clj

Hey Marshall,

Thanks for the resource, had missed that one somehow. I’m currently using on-prem with peer

Hi Marshall,

I basically have the same question, but I am using Datomic Cloud.
The Filters seem to be a good fit, is there a similar concept for Datomic Cloud?

I would likely handle this with an explicit permission model enforced by your application. As far as the exact implementation, it would probably depend on your specific schema and requirements, but I would expect that you could use some combination of:

• Entity specs
• Attr predicates
• Transaction functions
• manually annotating schema and/or transactions with permissions metadata

It is worth noting that these are all also available in On-Prem, and could be used there as well in place of (or in addition to) filter.