FQL v4 will be decommissioned on June 30, 2025. Ensure that you complete your migration from FQL v4 to FQL v10 by that date. For more details, review the migration guide. Contact support@fauna.com with any questions. |
ABAC best practices
Use UDFs to implement the principle of least privilege
When considering database and application security, the principle of least privilege should guide your planning. Fauna’s attribute-based access control (ABAC) can help you ensure that your user identities and user-defined functions all have the minimum access necessary to perform their jobs.
When you create a new
user-defined
function (UDF) with the CreateFunction
function, you can specify
a role in the role
field. A UDF with an assigned role runs with the
privileges of the specified role. A UDF with no role attached to it runs
with the same privileges as the identity that invoked it, which is fine
in some cases, but the security policy for an application is clearer
when every UDF has an associated role.
A UDF with an assigned role cannot perform any actions which exceed the privileges of the assigned role. For example, a UDF which is designed to perform a write operation but which has an assigned role without write privileges fails upon execution.
It is important to note, however, that an identity assigned to a role with
limited privileges can execute any UDF with an assigned role that grants
the call
privilege, even if the actions performed by the UDF exceed
the privileges assigned to the identity’s role.
When you create an API key with the CreateKey
function, the role
field specifies the level of access privilege for
the key. You can specify one of the four
built-in roles or a custom
role.
Use caution when creating keys with the The better practice is to create custom roles with appropriate access privileges and make sure that all API keys you create have the minimum level of access necessary for the identity to perform the required actions. |
Performance considerations
-
Limit the scope of operations used in ABAC role predicates wherever possible. ABAC roles are evaluated for every query, which can impact overall performance.
-
While ABAC roles can be used to filter out documents that should not be readable by the current client, such filtering can involve evaluating every document in a collection. Instead, use indexes for filtering.
Is this article helpful?
Tell Fauna how the article can be improved:
Visit Fauna's forums
or email docs@fauna.com
Thank you for your feedback!