question

Muhammad Roshaan Tariq avatar image
Muhammad Roshaan Tariq asked

How to edit Entity Access Policy?

Hi,

I am trying to build a function in which I am checking if the user is the member of the group and based on that response from this API I am editing some UI at runtime.

But when I try to run this function there's an Error in the response and it says

"The claim was not allowed to perform the requested action based on the entity's access policy. Policy comment: By default, all requests are denied. If you expected this request to succeed, you may be missing a policy. See the permissions APIs in PlayFab's Admin Api to add a permission."

So, I have couple of questions related to this problem

-> What does this mean?

-> Where can I access the API permissions to allow this function?

-> Do I have to code this in cloudscript/server side?


Basically I want to check if the [Redacted] user is a part of [Redacted] group. And for that I believe this is the only way, Right?

Is there any way I can use cloudscript here? Where I pass the PlayfabID of my user along with GroupID and check if they are part of the group or not?

apissdksentities
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Muhammad Roshaan Tariq avatar image
Muhammad Roshaan Tariq answered

@SethDu
Basically I want to check if the [Redacted] user is a part of [Redacted] group. And for that I believe this is the only way, Right?

Is there any way I can use cloudscript here? Where I pass the PlayfabID of my user along with GroupID and check if they are part of the group or not?

5 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Seth Du avatar image Seth Du ♦ commented ·
  • If you want to check one user is in a group, in the meantime, the query initiator is not in this group, then yes, you have to modify the policy.
  • However, if you are using Cloud Script, it won't be necessary to modify the policy because in Cloud Script, it is using a title-level entity token, which will be like server API. You can directly check it.

ps. PlayfabID is master player account ID, for most of the cases, we use title player account ID for entity APIs.

0 Likes 0 ·
Muhammad Roshaan Tariq avatar image Muhammad Roshaan Tariq commented ·

@SethDu

Alright, thanks for letting me know. I don't want to allow every user to have this access so I thought I should try this on cloudscript side.

->Can you please share the sample code snippet which can help me understand this function for cloudscript? Because you guys don't have the cloudscript document, Thanks!

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ Muhammad Roshaan Tariq commented ·

Sure thing, but first there are some documentations you may refer to: https://docs.microsoft.com/en-us/gaming/playfab/features/automation/cloudscript/.

For your scenario, I have written some codes to test on Cloud Script, which is a very simple usage of IsMemeber API:

handlers.myfunctiontest = function (args, context) {
    var request = 
    {
      "Group": {
        "Id": "[Group ID here]"
      },
      "Entity": {
        "Id": "[Entity ID here]",
        "Type": "title_player_account",
        "TypeString": "title_player_account"
    }
    };
        
    var result = entity.IsMember(request);
    return result;
}

Then I call ExecuteCloudScript API on Postman(RESTful testing tool) with the request:

{
  "FunctionName": "myfunctiontest",
  "RevisionSelection": "Live",
  "GeneratePlayStreamEvent": true
}
0 Likes 0 ·
Muhammad Roshaan Tariq avatar image Muhammad Roshaan Tariq Muhammad Roshaan Tariq commented ·

@SethDu

What is the difference between PlayfabUserID and EntityID? Aren't they same?

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ Muhammad Roshaan Tariq commented ·

PlayFabID, specifically, is master player account ID, which is unique within a studio, and is shared among titles in the same studio. Login information(identities) and Player Data(Publisher) can be shared between titles. You may use the same identities, like customID, to login into different titles in the same studio without generate new accounts.

Entity ID has many types, the full list is here: https://docs.microsoft.com/en-us/gaming/playfab/features/data/entities/available-built-in-entity-types. If the type is Master Player Account, it is the same as PlayFab ID. However, many entity-related API calls require a title player account ID, which is unique within a title. That's why there are 2 IDs can be found in a player's overview page.

0 Likes 0 ·
Seth Du avatar image
Seth Du answered

You need to edit the Group Policy, which is part of Entity Policy. There are 2 ways to update group policy, you can either enter the overview page of the group, navigate to the Policy page or find it at [Title Settings] -> [API Features] -> [Entity Group Title Policy]

You are asking to grant the permission for all the players in this title to be able to use this API. To make it work, you need to find this entry:

{
    "Action": "Read",
    "Effect": "Allow",
    "Resource": "pfrn:group--*!*/Roles/*",
    "Principal": {
        "MemberOf": {
            "RoleId": "*"
        }
    },
    "Comment": "Allow members of the group to read all roles in the group",
    "Condition": null
},


Modify it as:

{
    "Action": "Read",
    "Effect": "Allow",
    "Resource": "pfrn:group--*!*/Roles/*",
    "Principal": {
        "ChildOf": {
            "EntityType": "title",
            "EntityId": "[Your title ID]"
        }
    },
    "Condition": null
},

You may replace the Entity ID with your title ID, in addition, the following principle will also work:

"Principal":  "*"
"Principal": {
    "ChildOf": {
        "EntityType": "namespace",
        "EntityId": "[your publichser ID]"
    }
}

Ps. You may find the publisher ID at [Title Settings] -> [API Features].

2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

besjanxhika avatar image besjanxhika commented ·

Hi @SethDu you mentioned "There are 2 ways to update group policy", could please also indicate which is the second way?

While testing with changing group policy (basically "deny all") the group was blocked for any user and cannot be deleted or modified, so was wondering if there's another way to change its policy or delete it somehow.

0 Likes 0 ·
Marian Stychuk avatar image Marian Stychuk besjanxhika commented ·

I believe the second one is the API

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.