Type-level permissions determine the who can access the data in a given content type. They apply to all items of that type.
You can use policies or roles to specify type-level permissions. A policy is a predefined permissions set based on commonly used security patterns. For more granular permissions you need to use roles.
Telerik Platform supports four predefined security policies on type level: Private, Public, Shared, and Read-only. Those policies offer a convenient mechanism for supporting common access control scenarios without having to manage complex settings.
For instance, the
Users content type needs to allow anonymous users to register, which corresponds to the create operation. That is why
Users comes with Shared permissions by default. Naturally, you can switch to role-based permissions and allow only a given role to create user registrations, or you can implement additional checks using Cloud Code.
The Private policy implements the "read yours, write yours" pattern. This means that everyone can create items for the content type, but users can only read, update or delete their own items.
The Public policy ensures that everyone can invoke all operations on the content type. Use this with caution, because with this policy even anonymous users can delete your data.
The Shared policy is very common and gives you the "read all, write yours" model. With this model everyone can create and read items, but users can only update or delete their own items.
The Read-only policy is meant for some system content types, where users must be able to read the data, but cannot add new items or edit or delete existing.
By default, when you create a new app,
Files are using the Shared security policy. This means that everyone can create users and files and can read all of the existing ones. Consider changing the security settings for those types if you have other requirements for your application.
When you add a new content type to your app, it is automatically initialized with Public permissions.
Consider changing the default policy to something more restrictive that meet both your business and security needs.
The content type owner has different permissions under each predefined access control policy. To let the user exercise these permissions, you need to make sure that the user is indeed logged in to your application. Otherwise, they will operate with Anonymous permissions.