How to define fine grained Cloud Save Access Control policies?

Unity Services
, ,
1

Hello,

I’m in the process of setting up the cloud save access policies for our project and am facing the following problem:
I want to deny the player any read or write access for most of the cloud save items and only allow read(or read and write) access for specific entries. How do i correctly define the resource path to the specific item i want to grant access to?
My access policy statements currently look like this:

{
    "statements": [
        {
            "Sid": "deny-cloud-save-access",
            "Effect": "Deny",
            "Action": [
                "*"
            ],
            "Principal": "Player",
            "Resource": "urn:ugs:cloud-save:/v1/data/projects/[ProjectID]/players/*"
        },
        {
            "Sid": "allow-read-write-skin",
            "Effect": "Allow",
            "Action": [
                "*"
            ],
            "Principal": "Player",
            "Resource": "urn:ugs:cloud-save:/v1/data/projects/[ProjectID]/players/*/items/KEY_TO_SPECIFIC_ITEM"
        }
    ]
}

I also tried to specify the resource as:

"Resource": "urn:ugs:cloud-save:/v1/data/projects/[ProjectID]/players/*/items?keys=KEY_TO_SPECIFIC_ITEM"

Is there even a way to write a fine grained access policy that targets a specific entry in cloud save?

Thanks,
Chris

2

Hi VitaminBepis,

at this point Cloud Save keys can only be specified in a query parameter, not path parameters, and the access policies do not support filtering by query parameters.
You could deny all access to Cloud Save and drive access exclusively via Cloud Code where you have full control over who can access what. More information on integrating Cloud Save with Cloud Code can be found here.

The team is actively looking into better patterns for fine grained access controls for Cloud Save.

3

Hi Emil,
Thanks for the information! I will look into implementing a cloud code solution or work around it in some other way :slight_smile: