Apparently, I'm not having any luck updating the ENTITY GLOBAL TITLE POLICY to allow API calls for the new Entity Groups API (like IsMember()). I am getting the following error:
/Group/IsMember: The claim was not allowed to perform the requested action based on the entity's access policy. Policy comment: By default, all requests are denied. If you expected this request to succeed, you may be missing a policy. See the permissions APIs in PlayFab's Admin Api to add a permission.
I also tried like the documentation suggested and use the Admin API to add a policy like:
[{ "Resource": "pfrn:api--*", <br> "Action": "*", "Effect": "Allow", "Principal": "*", "Comment": "The default allow all policy" }]
But nothing has worked. I feel like a big part of the documentation to get the Entity API working is missing still...?
Thanks
Answer by Andy · Sep 12, 2018 at 05:18 AM
It was surprisingly non-trivial, but I think I've got you set up with what you need now. I added two new group entity policies to ensure all users can read all groups' membership and roles. This should accomplish your goals, but please give it a try and let me know if there are other cases I missed.
Here are the specific policies I added:
{ "Action": "Read", "Effect": "Allow", "Resource": "pfrn:group--group!*/Members/*", "Principal": { "ChildOf": { "EntityType": "title", "EntityId": "F64D" } }, "Comment": "Allow all players to read group members", "Condition": null }, { "Action": "Read", "Effect": "Allow", "Resource": "pfrn:group--group!*/Roles/*", "Principal": { "ChildOf": { "EntityType": "title", "EntityId": "F64D" } }, "Comment": "Allow all players to read group roles", "Condition": null }
So it seems that it was the "Roles" Resource that I needed to make the IsMemeber() method function...? Because now it's working - I only had "Members" policy before your addition.
I'll post here in case I run into any further issue using any of the other Groups API methods.
Thanks so much. ^^
Yep, that was news to me as well. It seems like being able to view members is useless if you can't also view roles. That documentation can't come soon enough!
Answer by Andy · Sep 10, 2018 at 08:46 PM
I think you're running into confusion (understandably) around the differences between API policy and entity policy. The resource string you have there is for an api policy, not entity policy. An equivalent entity policy resource string would look like "pfrn:data--*". I wouldn't recommend going like with that policy, but it might get you over the immediate hurdle. You can see a few more example of entity policy under settings on the API Features tab (under the header ENTITY GLOBAL TITLE POLICY).
I've bugged the team again about documentation on entity policy. Hopefully we'll get something out soon.
Answer by Scott Cameron · Sep 11, 2018 at 04:49 PM
I was only editing/appending to the ENTITY GLOBAL TITLE POLICY where you indicated. Since reading your answer I've tried for about another hour with different variations on attempting to guess at a correct policy (Resource?) to enable the Groups API methods without any more luck - I'm just shooting in the dark here and wasting time.
So, if you could do me a favor and help me get these Groups API methods working in my title it would be greatly appreciated: https://api.playfab.com/documentation/Groups
I would need any player to be able to make these API calls (not required to be a member of the group), so I'm assuming its the global title policy and not the group specific policy that needs the permission added...? I was referring to this post with my initial attempt to get the permission working: https://community.playfab.com/questions/18487/listgroupmembers-for-nonmember.html
For the documentation, you may want to consider adding the bit about having to add a policy to actually enable the APIs to the following links... because the sample code would actually require it to be done in order to function:
https://api.playfab.com/docs/tutorials/entities/getting-started-entities
https://api.playfab.com/docs/tutorials/entities/entity-groups
Thanks