I’m trying to figure out what access control features are supported in the open-source version but a lot of the articles and support documents start by going through the Cloud / Slash setup procedure.
Can anyone tell me if it is possible in/with the open-source version to only allow some specific users / JWT-subjects / JWT-scopes to create/read/update/delete specific objects / fields?
And would this work with an external JWT token provider with a subject and scopes?
ACL is an EE feature. It is available in the open source only for 30 days. You should build your ACL or use some third party lib(I don’t know one, but I think there are some) for this. In the other hand, you have a free Auth system in the GraphQL API.
Ah, so is ACL only for the non GraphQL interfaces? Akin to what SQL access to an RDB would be?
Yeah, sort of. You could potentially expose the ACLs to the end-users. As the usage is via the GraphQL admin side - you would expose the admin path(which I personally don’t recommend, but you do whatever you think is safe tho). So, your application would have to have a complicated business logic but it would work.
See more about ACL
https://dgraph.io/docs/enterprise-features/access-control-lists/