I am new to firebase and I have developed an app which can save documents. I want to assign a role to my team member who can view "Real-Time Data" but not the "Storage" as few files are confidential. The team mate should not have access to view storage files in firebase.
Can I do this by adding rules in firebase? If yes, how?
If I cannot do this, what is the alternate?
Within the Firebase console you can assign these broad roles to the collaborators on a project:
As you can see, Database and Storage are in the same role here, so you can't assign different permissions for them.
Luckily you can also define a custom role in the Cloud console, which allows you fine grained control over what a collaborator can do.
You'll want to read the documentation on granting, changing and revoking access in the Cloud documentation, and then build a role that has the necessary Firebase product-level predefined roles. Since you want the collaborator to only have access to Realtime Database, you'll need one of these:
Role: Firebase Realtime Database Admin
roles/firebasedatabase.admin
Description: Full read/write access to
Realtime Database resources
Realtime Database Admin permissions:
firebasedatabase.instances.create
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedatabase.instances.update
Role: Firebase Realtime Database Viewer
roles/firebasedatabase.viewer
Description: Read-only access to Realtime Database resources
Realtime Database Viewer permissions:
firebasedatabase.instances.get
firebasedatabase.instances.list
Related
I have a blaze account on firestore. I'm trying to create a new firestore database and get this message:
"To manage Cloud Firestore, ask a project owner for the necessary permissions"
My roles:
Cloud Storage for Firebase Admin,
Firebase Admin
Firebase Analytics Admin
Firebase Develop Admin
Firebase Rules System
What else should I have?
I'm attaching to 2 images:
firestore page
IAM - my roles
Thank you,
Geanni
The roles you've listed give you read/write access to the various Firebase services, but not the ability to add and remove them entirely from a project - that permission comes from Google Cloud itself.
The basic IAM roles define an Owner role that contains the needed permissions, but this is probably not what you are looking for.
At a more fine-tuned level, you should be able to use roles/datastore.owner to grant the ability to provision a Firestore database (Firestore is a layer on top of Datastore). That should be all you would need, but you might also need to consider roles/appengine.appAdmin too.
Relevant links:
Datastore IAM permissions
Firebase documentation on IAM permissions.
As documented here, you need the follow role:
Firebase Develop Admin - roles/firebase.developAdmin
I have created an app, that allows users to create a simple photo collection. All the data is stored in the Firebase Cloud Firestore. The images are uploaded to Firebase Storage.
The owner of a collection can invite any other user to access his collection and upload photos.
The sharing of data in Firestore works fine. But now I have problems with writing the security rules for Storage. Does anyone know, how I have to write the rules, so that any user added to the collection can access the images as well? The files for each collection are stored in separate folders.
Firebase security rules currently do not bridge between products. You can't use data in Cloud Firestore in security rules for Cloud Storage. The only things you have access to in security rules for Cloud Storage are object metadata and Firebase Authentication custom claims per user. You will have to figure out a way to make changes to either one of those things to implement your permissions.
Alternatively, you can direct all access through Cloud Functions to decide if the user should be able to access the content, but bear in mind that Cloud Functions responses can only be 10MB maximum.
You should look into creating a private group and authenticate the group with help of private token.
https://firebase.google.com/docs/storage/security/user-security#group_private
Is there a way to make the cloud firestore database entries for a specific collection private or hidden in firebase console making them unreadable / unaccessible from even the project owner accounts?
You can add users to your project with different roles (owner, editor or viewer) but it's for the entire project. You cannot add users with custom privilege to access for instance, only a collection or a subcollection.
No, this is not possible. What you can do is create a new firestore project and restrict which users have access to that specific project. However, all users on that project will have access to that entire database.
is there any way for a developer who has access to the Firebase console to be restricted access to the real-time database, preventing them from reading and writing any data directly?
When you add a collaborator to the Users and permissions panel of the Firebase console, you can set what permissions they have. The defaults are Owner, Editor, and Viewer, with the latter granting read-only access to all (Firebase and Cloud) products in the console.
You can also choose Assign Firebase role(s), in which case you can select per Firebase product what permission the user has. In this case you can exclude them from having access to the Firebase Realtime Database.
I need to grant permissions to a user for my Firebase project. But this user should only have access to adding data on Real-Time Firebase Database. I think it should be done here:
User can only add and delete data in firebaseDatabase and nothing more here:
How do I set permissions for this user?
There currently is no way to give product-level permissions to a collaborator on the Firebase console. Either they have access to the console, or they don't have access. You can give them read-only access, but that doesn't sound like what you need.