Apply ACL to a model

What you’ll build

Having followed this guide you will get an idea of how to apply Access Controls on a Model.

What you’ll need

To complete this guide, you will need the following -

  • an understanding of what a Model
  • a running NodeJS application built using the

How to complete this guide

  • To start with get a basic running oeCloud Application by following the steps mentioned here After npm install, Run the app from command prompt
node .
  • Browse http://localhost:3000/explorer
  • Use BaseUser/Login and POST
  "username": "admin",
  "password": "admin"
  • Set access token and create a model Product using ModelDefinition, POST in ModelDefinition the following json
    "name": "Product",
    "base": "BaseEntity",
    "strict": false,
    "plural": "Products",
    "idInjection": true,
    "options": {
        "validateUpsert": true
    "properties": {
        "code": {
            "type": "string",
            "source": "code",
            "required": true
        "name": {
            "type": "string",
            "source": "name",
            "required": true
        "category": {
            "type": "string",
            "source": "category"
        "price": {
            "type": "number",
            "source": "price"
        "description": {
            "type": "string",
            "source": "description",
            "required": true
    "validations": [],
    "relations": {},
    "acls": [],
    "methods": {},
  • Refresh swagger in browser, unset access token and find Product API.
  • Expand Product from swagger and POST a valid data, you should see response as 200 Ok.
  • Now POST in BaseACL model with access token set for admin user to add acl to Product model
      "model": "Product",
	  "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "DENY",
      "accessType": "*"
      "model": "Product",
	  "principalType": "ROLE",
      "principalId": "$authenticated",
      "permission": "ALLOW",
      "accessType": "*"
  • Now try to post a valid data, you will see the post is successful. However, if you unset access token or logout and post a valid data in Product model, you should see 401 Authorization required error.

This is because, if you see the acls we added - 1st we denied all access to everyone, then allowed all authenticated users all access (authenticated means successfully logged in users)

We use loopback’s defualt acl capability to restrict data access. To know more about acls, their access level and default roles please see Loopback ACL guide

To apply ACL in file based model, edit the file based model json and add

  "property": "string",
  "accessType": "string",
  "permission": "string",
  "principalType": "string",
  "principalId": "string"


Property Description
property (Optional) the method you want the acl to affect, e.g. findOne or create
permission ALLOW/DENY
principalType loopback allowed principal type like ROLE or USER or Application
principalId the id of a user, role name or predefined roles like $everyone


Now you know

  • how to add ACL dynamically
  • how to add ACL in file based models
  • Different permissions, access types and properties for ACL