Entity API Group methods policy error

Question

question

Scott Cameron asked Sep 10, '18

Entity API Group methods policy error

Apparently, I'm not having any luck updating the ENTITY GLOBAL TITLE POLICY to allow API calls for the new Entity Groups API (like IsMember()). I am getting the following error:

/Group/IsMember: The claim was not allowed to perform the requested action based on the entity's access policy. Policy comment: By default, all requests are denied. If you expected this request to succeed, you may be missing a policy. See the permissions APIs in PlayFab's Admin Api to add a permission.

I also tried like the documentation suggested and use the Admin API to add a policy like:

[{
  "Resource": "pfrn:api--*", <br>  "Action": "*", 
  "Effect": "Allow", 
  "Principal": "*", 
  "Comment": "The default allow all policy"
}]

But nothing has worked. I feel like a big part of the documentation to get the Entity API working is missing still...?

Thanks

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Error rendering WebPanel (widgets/consolidation-widget.ftl): org.hibernate.hql.internal.ast.QuerySyntaxException: AvailableConsolidation is not mapped [from AvailableConsolidation up where up.node = :node]

Answer 1 · 2018-09-12T05:18:32Z

Andy answered Sep 12, '18

It was surprisingly non-trivial, but I think I've got you set up with what you need now. I added two new group entity policies to ensure all users can read all groups' membership and roles. This should accomplish your goals, but please give it a try and let me know if there are other cases I missed.

Here are the specific policies I added:

  {
    "Action": "Read",
    "Effect": "Allow",
    "Resource": "pfrn:group--group!*/Members/*",
    "Principal": {
      "ChildOf": {
        "EntityType": "title",
        "EntityId": "F64D"
      }
    },
    "Comment": "Allow all players to read group members",
    "Condition": null
  },
  {
    "Action": "Read",
    "Effect": "Allow",
    "Resource": "pfrn:group--group!*/Roles/*",
    "Principal": {
      "ChildOf": {
        "EntityType": "title",
        "EntityId": "F64D"
      }
    },
    "Comment": "Allow all players to read group roles",
    "Condition": null
  }

2

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Scott Cameron commented · Sep 12, 2018 at 05:28 PM

So it seems that it was the "Roles" Resource that I needed to make the IsMemeber() method function...? Because now it's working - I only had "Members" policy before your addition.

I'll post here in case I run into any further issue using any of the other Groups API methods.

Thanks so much. ^^

0 ·

Andy ♦♦ Scott Cameron commented · Sep 12, 2018 at 05:33 PM

Yep, that was news to me as well. It seems like being able to view members is useless if you can't also view roles. That documentation can't come soon enough!

0 ·

Answer 2 · 2018-09-10T20:46:42Z

Andy answered Sep 10, '18

I think you're running into confusion (understandably) around the differences between API policy and entity policy. The resource string you have there is for an api policy, not entity policy. An equivalent entity policy resource string would look like "pfrn:data--*". I wouldn't recommend going like with that policy, but it might get you over the immediate hurdle. You can see a few more example of entity policy under settings on the API Features tab (under the header ENTITY GLOBAL TITLE POLICY).

I've bugged the team again about documentation on entity policy. Hopefully we'll get something out soon.

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 3 · 2018-09-11T16:49:09Z

Scott Cameron answered Sep 11, '18

I was only editing/appending to the ENTITY GLOBAL TITLE POLICY where you indicated. Since reading your answer I've tried for about another hour with different variations on attempting to guess at a correct policy (Resource?) to enable the Groups API methods without any more luck - I'm just shooting in the dark here and wasting time.

So, if you could do me a favor and help me get these Groups API methods working in my title it would be greatly appreciated: https://api.playfab.com/documentation/Groups

I would need any player to be able to make these API calls (not required to be a member of the group), so I'm assuming its the global title policy and not the group specific policy that needs the permission added...? I was referring to this post with my initial attempt to get the permission working: https://community.playfab.com/questions/18487/listgroupmembers-for-nonmember.html

For the documentation, you may want to consider adding the bit about having to add a policy to actually enable the APIs to the following links... because the sample code would actually require it to be done in order to function:

https://api.playfab.com/docs/tutorials/entities/getting-started-entities

https://api.playfab.com/docs/tutorials/entities/entity-groups

Thanks

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 4 · 2022-11-29T01:31:43Z

admflp answered Nov 29, '22

4 years later, we are still waiting for the documentation for entity policies...

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 5 · 2022-12-22T09:02:58Z

Mohsen Jamali answered Dec 22, '22

What is going on? why there is no documentation about group policies? How are we supposed to guess which resource to use? This is nonsense. If something is exposed to the end-user to use there should be a documentation for it

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

question

Entity API Group methods policy error

5 Answers

Write an Answer

Navigation

Spaces

question details