# Access Control
Database permissions are divided between the Mini Program end and management end, and the latter includes cloud functions and the console. The Mini Program end runs within the Mini Program and has restricted read/write access to the database. The management end runs on cloud functions and has full read/write access to the database. Like the management end, the cloud console has full permissions. Database operations performed on the Mini Program end are subject to the strict security rules.
In the preliminary stage, we offer the following permission configurations for database operations, with each collection allowed to have one permission configuration. The permission configuration rules are applied to each record in the collection. For ease of use and security, Cloud Base performs deep integration of Mini Programs for cloud databases. Each database record created in the Mini Program comes with information regarding the record creator (i.e. Mini Program user). A user's openid saved in the _openid field can be found in the records created by the user. Therefore, access control is primarily concerned with whether a user should have permissions to operate on data created by other users.
The followings are arranged by permission level from low to high:
- Only the creator has the write permission, and everyone has the read permission: Data can only be written by the creator, but can be read by all users, such as an article.
- Only the creator has the read/write permission: Only the creator can read or write data, such as a private album.
- Only the management end has the write permission, and everyone has the read permission: Data can only be written by the management end, but can be read by all users, such as product information.
- Only the management end has the read/write permission: Only the management end can read and write data, such as the unexposed data used in the backend.
In short, the management end always has the read/write permission for all data, while the Mini Program end is never allowed to write the data created by others. In fact, the permissions to read and write the records on the Mini Program end are divided into "Only the creator has the write permission, and everyone has the read permission", "Only the creator has the read/write permission", "Only the management end has the write permission, and everyone has the read permission", and "Only the management end has the read/write permission".
The permissions of a user on the Mini Program end and management end in different modes are shown below:
| Mode | Mini Program Read self-created data | Mini Program Write self-created data | Mini Program Read data created by others | Mini Program Write data created by other | Management end Read and write any data |
|---|---|---|---|---|---|
| Only the creator has the write permission, and everyone has the read permission | √ | √ | √ | × | √ |
| Only the creator has the read/write permission | √ | √ | × | × | √ |
| Only the management end has the write permission, but everyone has the read permission | √ | × | √ | × | √ |
| Only the management end has the read/write permission: The data can only be read and written on the management end | × | × | × | × | √ |
Care should be taken when setting collection permissions to prevent unauthorized operations.