Managing Permissions (ACL) Cloud
The Permissions section of the RESTHeart Cloud UI lets you define, edit, and delete the Access Control List (ACL) rules that govern what authenticated users can do inside your RESTHeart service. Rules are stored in the acl collection and evaluated on every incoming request.
Navigation path: Service → Permissions
How the ACL Works
RESTHeart’s mongoAclAuthorizer evaluates every incoming HTTP request against the ACL documents stored in the acl collection. The authorizer:
-
Finds all ACL documents whose
rolesarray intersects with the authenticated user’s roles. -
Among those, finds documents whose
predicatematches the request (path, method, query string, etc.). -
Evaluates them in ascending
priorityorder — lower numbers are evaluated first. -
If any matching rule permits the request, it is allowed; otherwise it is denied.
Collection Path by Plan
| Plan | ACL collection path |
|---|---|
Free / Shared |
|
Dedicated |
|
The UI abstracts this difference — you always navigate to Service → Permissions regardless of plan.
Permission Document Structure
{
"_id": "usersCanReadOrders",
"roles": ["user"],
"predicate": "path-prefix('/orders') and method('GET')",
"priority": 100,
"mongo": {
"readFilter": { "owner": "@user._id" },
"writeFilter": null,
"mergeRequest": null,
"projectResponse": null
}
}| Field | Required | Description |
|---|---|---|
|
Yes |
Unique identifier for this permission rule. Choose a descriptive name (e.g. |
|
Yes |
Array of role name strings. The rule applies to any authenticated user who holds at least one of these roles. Roles are defined on user documents in the Users section. |
|
Yes |
An Undertow predicate expression that must evaluate to |
|
Yes |
Integer evaluation order. Lower values are evaluated first. Use lower numbers for more specific (higher-priority) rules. |
|
No |
Optional object with MongoDB-level security modifiers. See MongoDB Options below. |
Listing Permissions
The ACL list is fetched via GET /acl?page=…&pagesize=… and displayed in a paginated, searchable table. Each row shows the _id, the roles, the predicate, the priority, and action buttons.
Searching and Filtering
Use the Search box to apply a MongoDB filter expression, for example:
{ "roles": "user" }or
{ "priority": { "$lt": 50 } }A Sort expression (JSON object) can also be applied, mapping to the sort query parameter.
Creating a Permission
-
Click New Permission.
-
Fill in the form fields:
-
ID (
_id) — unique name for the rule. -
Roles — one or more role names this rule applies to.
-
Predicate — the Undertow predicate expression (see below).
-
Priority — integer; lower evaluates first.
-
MongoDB Options — optionally configure
readFilter,writeFilter,mergeRequest, andprojectResponse.
-
-
Click Save. The UI submits
POST /aclwith the document body.
Editing a Permission
-
Click Edit on a permission row to expand the inline accordion form.
-
All fields except
_idare editable. -
Click Save. The UI issues
PATCH /acl/<id>with the updated fields.
Deleting a Permission
Click Delete on a permission row. A confirmation dialog appears before the DELETE /acl/<id> request is issued.
|
Warning
|
Deleting a permission rule takes effect immediately. Any users whose access relied solely on that rule will be denied on the next request. |
Predicate Language
The predicate field uses the Undertow predicate expression language. A predicate is a boolean expression that is evaluated against the incoming HTTP request. The following predicates are available:
Path Predicates
| Predicate | Description | Example |
|---|---|---|
|
Matches the exact request path. |
|
|
Matches any path that starts with the given prefix. |
|
|
Matches parameterised paths; captured segments are available as variables. |
|
|
Matches paths ending with the given suffix. |
|
|
Matches the path against a regular expression. |
|
Method Predicates
| Predicate | Example |
|---|---|
|
|
|
|
|
Combining Predicates
Use and, or, and not to compose complex rules:
path-prefix('/orders') and method('GET')path-prefix('/reports') and (method('GET') or method('POST'))path-prefix('/admin') and not method('GET')Common Predicate Examples
| Goal | Predicate |
|---|---|
Allow GET on any path |
|
Allow all methods on |
|
Allow POST only to |
|
Allow GET and PATCH on |
|
Allow everything under |
|
Deny DELETE everywhere (use |
|
|
Tip
|
Use the Predicate helper tooltip inside the permission form — it shows common predicate patterns inline without leaving the page. |
MongoDB Options
The optional mongo object adds MongoDB-level security on top of the predicate match. These modifiers are applied transparently to every request that matches the rule.
readFilter
A MongoDB filter document appended to every read (GET) query. Clients can only see documents that match the filter, regardless of any filter parameter they provide.
Use case — row-level security:
{
"mongo": {
"readFilter": { "owner": "@user._id" }
}
}The placeholder @user._id is replaced at runtime with the authenticated user’s _id. This ensures each user sees only documents they own.
writeFilter
A MongoDB filter document applied to every write operation (PUT, PATCH, DELETE). Write operations are silently restricted to documents matching the filter.
Use case — prevent writing to other users' documents:
{
"mongo": {
"writeFilter": { "owner": "@user._id" }
}
}mergeRequest
A document merged into every write request body before it is persisted. Use this to automatically inject server-enforced fields that clients should not be able to forge.
Use case — auto-stamp ownership on document creation:
{
"mongo": {
"mergeRequest": { "owner": "@user._id" }
}
}projectResponse
A MongoDB projection applied to every response document before it is sent to the client. Use this to mask sensitive fields.
Use case — hide sensitive fields:
{
"mongo": {
"projectResponse": { "passwordHash": 0, "internalNotes": 0 }
}
}Available Variables in mongo Fields
| Variable | Value at runtime |
|---|---|
|
The |
|
The |
Priority and Evaluation Order
Rules with lower priority numbers are evaluated first. This is the opposite of what "priority" means in everyday language — think of it as evaluation order rather than importance.
| Priority value | Typical use |
|---|---|
|
Root / super-admin rules that must always win (e.g. |
|
Highly specific rules (exact paths, narrow method sets). |
|
Standard application rules. |
|
Catch-all or fallback rules. |
|
Tip
|
When two rules both match a request, the first one evaluated (lowest priority number) takes precedence. Structure your rules so the most specific rules have the lowest numbers. |
Worked Example: Role-Based Order Access
The following three ACL documents implement a typical order-management permission model:
/orders{
"_id": "adminsFullOrders",
"roles": ["admin"],
"predicate": "path-prefix('/orders')",
"priority": 10
}{
"_id": "usersCreateOrders",
"roles": ["user"],
"predicate": "path('/orders') and method('POST')",
"priority": 100,
"mongo": {
"mergeRequest": { "owner": "@user._id" }
}
}{
"_id": "usersReadOwnOrders",
"roles": ["user"],
"predicate": "path-prefix('/orders') and method('GET')",
"priority": 100,
"mongo": {
"readFilter": { "owner": "@user._id" }
}
}API Reference
| Operation | Endpoint |
|---|---|
List permissions |
|
Create permission |
|
Update permission |
|
Delete permission |
|
On Dedicated plans replace /acl with /restheart/acl in all paths above.
Related Pages
-
Managing Users — create the users and roles referenced in ACL rules.
-
Root User Setup — the initial
rootCanDoEverythingpermission is created here. -
Users and Permissions (API reference) — API-level permission examples.
-
Dedicated vs. Free/Shared Plans — understand collection path differences between plans.
-
Permission Management (full reference) — deep-dive into the
mongoAclAuthorizer, predicate language, and advanced patterns.