I'm unable to prevent the client from being able to set master_player_account Objects by adding an API policy in Entity Global Title Policy. Here is the policy I added:
{
"Action": "Write",
"Effect": "Deny",
"Resource": "pfrn:data--*!*/Profile/Objects/*",
"Principal": "*",
"Comment":
"Only title can edit master user objects",
"Condition": {
"CallingEntityType": "master_player_account"
}
On the client side my SetObjectsRequest is:
SetObjectsRequest request = new SetObjectsRequest()
{
Entity = new PlayFab.DataModels.EntityKey() { Id = playFabId, Type = "master_player_account" }, Objects = entityObjs
};
This always results in the Object getting set. If I change "CallingEntityType" to title_player_account it has not difference but it does prevent the title_player_account objects from being set, as expected. This also prevents characters from being able to set objects. As an aside, when this prevention happens for a character, that character does not seem to be returned in the CloudScript call server.GetAllUsersCharacters(), at least for a certain amount of time.
How do I prevent the client from setting master_player_account objects?