Skip to main content
There are four ways to control who can read and write data in Polybase:
  1. Allow all (read and write) - allow anyone to read data and/or call collection functions
  2. Delegation (read and write) - using @read, @call and @delegate directives
  3. Code (write only) - write code to check users permissions in collection functions
  4. Encryption (read only) - data is public but encrypted, only authorized users can decrypt it
For read rules, the entire record is always returned. There is no way to define read rules for specific fields. If you need to have some restricted data, create a separate collection and create a link between the collections.
Unless otherwise defined, all collections are private and fully restricted meaning no-one can read data or call collection functions. See Allow all to provide public access.

Allow all

If you want to allow anyone to read data and/or call contract data, you can add one of the following directives at the top of your collection:
  • @public - everyone can read and call any function
  • @read - everyone can read
  • @call - everyone can call any function

@public on collections

Allows anyone to read all records and call functions in the collection (it's the equivalent of adding @read and @call). You can still further restrict write permissions by adding custom code to your collections functions. 
@public
collection Response {
  ...
}

@read on collections

Allows anyone to read all records in the collection (but calls to functions are still restricted). 
@read
collection Response {
  ...
}

@call on collections

Allows anyone to call functions that do not have a @call directive. 
@call
collection Form {
  ...

  updateTitle (title: string) { ... }
}

Delegation

Delegation allows you to create rules across multiple records, allowing for complex permissions to be defined.
Delegation rules must always end in a PublicKey field. You must authenticate the user with using a signer function in order to use delegation.
You can annotate your collections with @read, @call and @delegate directives to control who can read, call and delegate data.

@read on fields

Allows anyone who can sign using the specified public key to read the record. 
collection Response {
  @read
  publicKey: PublicKey;
  ...
}

@call on functions

Allows anyone who can sign using the specified public key to call a given function. 
collection Form {
  @read
  creator: PublicKey;

  @call(creator);
  update ()  {
    ...
  }
}

@delegate + @read

Example of delegating read access to Response to a user with given publicKey: ResponseFormUserpublicKey: 
collection Response {
  // Delegate read permission to form/Form
  @read
  form: Form;
}

collection Form {
  // Delegate read permission to User
  @delegate
  creator: User;
}

collection User {
  // Delegate read permission to publicKey
  @delegate
  publicKey: PublicKey;
}

@delegate + @call

Example of delegating call permission to Response to a user with given publicKey: ResponseFormUserpublicKey: 
collection Response {
  form: Form;

  // Delegate call permission to form/Form
  @call(form)
  function approve () {

  }
}

collection Form {
  // Delegate call permission to User
  @delegate
  creator: User;
}

collection User {
  // Delegate call permission to publicKey
  @delegate
  publicKey: PublicKey;
}

Code

If you need more granular control over who can write data and call functions in Polybase, you can allow anyone to call the collection functions, but then write code to check the user’s permissions in the collection functions.
This can only be used to control call/write access to Polybase, not read access.
@public
collection Team {
  id: string
  members: string[]
  publicKey: PublicKey;

  // Anyone can call this function because of @public on collection
  addMember (id: string) {
    // But you must be signing using the correct key
    if (this.publicKey == ctx.publicKey) {
       throw error('invalid user');
    }

    // And there must not be already more than 5 members
    if (this.members.length > 5) {
      throw error('too many members');
    }

    // Now we have checked rules, we can write the data
    this.members.push(id);
  }
}

Encryption

You can make your data public (using the @public directive) but encrypted. This means that anyone can read the data, but only authorized users can decrypt it. For more information on encrypting data, see the Encryption guide.