Showing results for 
Show  only  | Search instead for 
Did you mean: 

GraphQL and Data Confidentiality (CRUD)


When making query or mutation to GraphQL REST API all access rights are check based on the profile you are using.


The access rights are defined, in this order, at several level :

  1. License level
  2. Option level
  3. Profile level
  4. Workflow level
  5. Data Reading or Writing access rules (graph or macro)

Each time you make a query or a mutation HOPEX will check that you are allowed to perform this action :

  • For query : it will check the "Read" access rights (R).
  • For mutation: it will check the "Write" access rights (CRUD).
    • Create when making a creation of a new object
    • Update when trying to update an existing object
    • Delete when trying to delete an existing object




In query, if you are not allowed to view the requested information you will get :

  • a null value for a field (MetaAttribute)
  • an empty array for a relationship (MetaAssociation)



In Mutation, if you are not allowed to create/update/delete the requested object or its fields you will get :

  • an error on each fields you are not allowed to edit with a message: "You are not allowed to perform this action..."


Managing permission


You should ensure that the profile you use when querying the application is properly configure with the CRUD.


For more details read the documentation :



0 Replies