question

Scott Cameron avatar image
Scott Cameron asked

Entity API Group methods policy error

Apparently, I'm not having any luck updating the ENTITY GLOBAL TITLE POLICY to allow API calls for the new Entity Groups API (like IsMember()). I am getting the following error:

/Group/IsMember: The claim was not allowed to perform the requested action based on the entity's access policy. Policy comment: By default, all requests are denied. If you expected this request to succeed, you may be missing a policy. See the permissions APIs in PlayFab's Admin Api to add a permission.

I also tried like the documentation suggested and use the Admin API to add a policy like:

[{
  "Resource": "pfrn:api--*", <br>  "Action": "*", 
  "Effect": "Allow", 
  "Principal": "*", 
  "Comment": "The default allow all policy"
}]

But nothing has worked. I feel like a big part of the documentation to get the Entity API working is missing still...?

Thanks

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Andy avatar image
Andy answered

It was surprisingly non-trivial, but I think I've got you set up with what you need now. I added two new group entity policies to ensure all users can read all groups' membership and roles. This should accomplish your goals, but please give it a try and let me know if there are other cases I missed.

Here are the specific policies I added:

  {
    "Action": "Read",
    "Effect": "Allow",
    "Resource": "pfrn:group--group!*/Members/*",
    "Principal": {
      "ChildOf": {
        "EntityType": "title",
        "EntityId": "F64D"
      }
    },
    "Comment": "Allow all players to read group members",
    "Condition": null
  },
  {
    "Action": "Read",
    "Effect": "Allow",
    "Resource": "pfrn:group--group!*/Roles/*",
    "Principal": {
      "ChildOf": {
        "EntityType": "title",
        "EntityId": "F64D"
      }
    },
    "Comment": "Allow all players to read group roles",
    "Condition": null
  }
2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Scott Cameron avatar image Scott Cameron commented ·

So it seems that it was the "Roles" Resource that I needed to make the IsMemeber() method function...? Because now it's working - I only had "Members" policy before your addition.

I'll post here in case I run into any further issue using any of the other Groups API methods.

Thanks so much. ^^

0 Likes 0 ·
Andy avatar image Andy ♦♦ Scott Cameron commented ·

Yep, that was news to me as well. It seems like being able to view members is useless if you can't also view roles. That documentation can't come soon enough!

0 Likes 0 ·
Andy avatar image
Andy answered

I think you're running into confusion (understandably) around the differences between API policy and entity policy. The resource string you have there is for an api policy, not entity policy. An equivalent entity policy resource string would look like "pfrn:data--*". I wouldn't recommend going like with that policy, but it might get you over the immediate hurdle. You can see a few more example of entity policy under settings on the API Features tab (under the header ENTITY GLOBAL TITLE POLICY).

I've bugged the team again about documentation on entity policy. Hopefully we'll get something out soon.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Scott Cameron avatar image
Scott Cameron answered

I was only editing/appending to the ENTITY GLOBAL TITLE POLICY where you indicated. Since reading your answer I've tried for about another hour with different variations on attempting to guess at a correct policy (Resource?) to enable the Groups API methods without any more luck - I'm just shooting in the dark here and wasting time.

So, if you could do me a favor and help me get these Groups API methods working in my title it would be greatly appreciated: https://api.playfab.com/documentation/Groups

I would need any player to be able to make these API calls (not required to be a member of the group), so I'm assuming its the global title policy and not the group specific policy that needs the permission added...? I was referring to this post with my initial attempt to get the permission working: https://community.playfab.com/questions/18487/listgroupmembers-for-nonmember.html

For the documentation, you may want to consider adding the bit about having to add a policy to actually enable the APIs to the following links... because the sample code would actually require it to be done in order to function:

https://api.playfab.com/docs/tutorials/entities/getting-started-entities

https://api.playfab.com/docs/tutorials/entities/entity-groups

Thanks

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

admflp avatar image
admflp answered

4 years later, we are still waiting for the documentation for entity policies...

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Mohsen Jamali avatar image
Mohsen Jamali answered

What is going on? why there is no documentation about group policies? How are we supposed to guess which resource to use? This is nonsense. If something is exposed to the end-user to use there should be a documentation for it

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Error rendering WebPanel (widgets/consolidation-widget.ftl): org.hibernate.hql.internal.ast.QuerySyntaxException: AvailableConsolidation is not mapped [from AvailableConsolidation up where up.node = :node]