question

James McGhee avatar image
James McGhee asked

ENTITY GLOBAL TITLE POLICY so that only members can read Entity Objects of an Entity Group

Trying to solve a need where in we need to reasonably assure that only members of a group can read the data in an Entity Object ...

Digging around we found similar questions about restricting who can do what with Entity Group can be configured to some degree via policy.

We also saw in the question here https://community.playfab.com/questions/25747/group-roles.html
That this can be set at the title policy level.

What we cant find is any documentaiton on what the policy should look like. The policy we want to set is simply that any member of a group can read and write to that group's EntityObjects but that non members of the group can neither read nore write to the Entity Objects.

entities
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Rick Chen avatar image
Rick Chen answered

I am afraid that there is no official document about group policy currently. You could set up the group policy in following steps:

  • Use CreateGroup API to create a group. The creator account will become a group admin by default.
  • Use GetProfile API to get the group profile. By default, there should be a policy looks like this (I used Postman):
                {
                    "Resource": "pfrn:data--*!*/*",
                    "Action": "*",
                    "Effect": "Allow",
                    "Principal": {
                        "MemberOf": {
                            "RoleId": "admins"
                        }
                    },
                    "Comment": "Allow members of the group administrator role to modify group profile data and files"
                }
  • This is the policy that controls who can Read and Write the Entity Object using GetObjects and SetObjects.
  • Copy the entire Policy Statements, change the “RoleId” property from “admins” to “*”, then paste to the SetProfilePolicy API request body and send the request to update the policy.
  • After update successfully, the group will allow any members to read and write to the group’s Entity Object.
  1. If you have any further questions, please feel free to ask.

2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

James McGhee avatar image James McGhee commented ·

Would it be possible to make this default possibly via the Entity Global Title Policy or does this need to be done for each group.

0 Likes 0 ·
Rick Chen avatar image Rick Chen ♦ James McGhee commented ·

No, it cannot be made as default. Nonetheless, you can integrate CreateGroup API and SetProfilePolicy API using CloudScript as below:

handlers.CreateGroupWithPolicy = function(args,context){
    player_account = server.GetUserAccountInfo({ PlayFabId: currentPlayerId });
    player_entity = player_account.UserInfo.TitleInfo.TitlePlayerAccount;
    new_group = entity.CreateGroup({GroupName:args.GroupName,Entity:player_entity});
    result = entity.SetProfilePolicy({
        Statements: your_policy,//paste your entire policy here
            
        Entity: new_group.Group
    });
    
}


Then the client can use ExecuteCloudScript API to call this function and create a group with the policy statements you defined.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.