What I learnt about Access Control

Authentication VS Authorisation

Authentication — checks if the user is signed in.

What does the structure look like ?

The Key Piece! => Session!

In the main KeystoneJS configuration, the Session passes the user details such as id , email, along with the request.

Schema access controls are set by Rules and Permissions

Like in a RPG game…

I find it easier to relate the 4 things used to set up access control to a game.

Putting everything together

  • Role is another Schema type especially used for assigning a set of permissions to users
  • In KeystoneJS, for Roles, we can create an admin UI with a checkbox list of permissions which we can enable for different Roles.
  • In Session, we can expose the permissions that a user has so that graphQL queries can receive the permission info of this user. See line 84
  • The Rules, are made of permissions and the session data so that we can add more flexibility in access controls. Not only can we allow specific users to have the access, we can also give more granularity in what they can access! For instance, in this example, the canReadProducts rule returns a Keystone query — for users without specific permissions granted, if they are the owner, they can see all products. Otherwise, they can only see available products
return {      
OR: [{ user: { id: session.itemId } }, { status: 'AVAILABLE' }],

More Info



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sherry Hsu

Sherry Hsu


A software engineer passionate about learning and growth