Security and permissions
Authentication and authorization mechanisms in your chat app let you decide who can access what resources based on identity and permissions. Additional security measures let you send and receive messages and files through your chat app, preventing unauthorized users from accessing that data.
Add or remove access to resources
PubNub Chat SDKs provide authorization in your chat app through Access Manager - a secure, token-based permission administrator that lets you regulate clients' access to such PubNub resources as channels and users.
By making a single call to Access Manager API, you can define multiple user permissions saying who can do what with your client or server app data. Those permissions are stored within a token that you can then pass to the client device. The client device uses this token to authenticate with PubNub and access the resources you've defined.
Depending on whether you create a client or server app, there are three possible actors involved in the authorization cycle: PubNub (server), your own server, and a client device. For more details, read the authorization workflow.
Set the token
As long as the tokens with correct permissions are granted and set in the client that uses the Chat SDK, it doesn't matter which SDK grants them.
When you have the token with the correct permissions, you can set it in the Chat SDK. Refer to each Chat SDK's configuration documentation to learn how to set the token.
Operations-to-permissions mapping
The type of access level you grant on a given resource type defines which operations users can perform in your app. For example, write
access given to a user for the channels
resource type (either specific channels or channel patterns
) lets them send messages to this channel/these channels (calling the PubNub Pub/Sub API underneath and the Chat SDK's SendText()
method).
Variables
Certain Chat SDK methods require permissions on specific channels. Each instance of channelId
, userId
, messageTimetoken
, parentChannelId
, threadChannelId
, and threadMessageChannelId
in the table is a placeholder and it is up to you to provide the correct value.
In some cases, certain channels are created that have a specific naming convention, like PUBNUB_INTERNAL_MODERATION_channelId
, PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken
, or channelId-pnpres
. Inspect the tables carefully and manage your permissions accordingly.
The following tables show which specific permissions granted to PubNub resources translate to operations users can later perform using our Chat SDKs.
Method scope and naming
The method names may vary across Chat SDKs due to syntax differences between programming languages. Also, methods that don't require communicating with the PubNub servers don't require permissions and are not present in the table.
Chat object methods
Chat SDK method(s) | Resource: Permission |
---|---|
Init() | UUID: Get, Update |
CreatePublicConversation() | Channel (channelId): Update |
CreateDirectConversation() | Channel (channelId): Get, Update, Join, Write Channel (invitee): Write UUID (userThatCallsTheMethod, invitee): Update, Get |
CreateGroupConversation() | Channel (channelId): Update, Manage, Join Channel (invitee[]): Write UUID (userThatCallsTheMethod, invitee[]): Update, Get |
GetChannel() | Channel: Get |
GetChannels() | No permissions required. Ensure that the Disallow Get All Channel Metadata checkbox in your keyset configuration in the Admin Portal is unmarked. |
UpdateChannel() | Channel (channelId): Update |
DeleteChannel() | Channel (channelId): Delete |
PinMessageToChannel() | Channel (channelId): Update |
UnpinMessageFromChannel() | Channel (channelId): Update |
GetChannelSuggestions() | No permissions required. Ensure that the Disallow Get All Channel Metadata checkbox in your keyset configuration in the Admin Portal is unmarked. |
CurrentUser() | UUID: Get |
CreateUser() | UUID (userId): Get, Update |
GetUser() | UUID (userId): Get |
GetUsers() | No permissions required. Ensure that the Disallow Get All User Metadata checkbox in your keyset configuration in the Admin Portal is unmarked. |
UpdateUser() | UUID (userId): Update |
DeleteUser() | UUID (userId): Delete |
GetUserSuggestions() | No permissions required. Ensure that the Disallow Get All User Metadata checkbox in your keyset configuration in the Admin Portal is unmarked. |
WherePresent() | No permissions required. |
WhoIsPresent() | Channel (channelId): Read |
IsPresent() | No permissions required. |
SetRestrictions() | Channel (PUBNUB_INTERNAL_MODERATION_channelId): Manage, Update Channel (PUBNUB_INTERNAL_MODERATION.userId): Write |
EmitChatEvent() | Channel (channelId): Write |
GetEventsHistory() | Channel (channelId): Read |
ListenForEvents() | Channel (channelId, channelId-pnpres): Read |
ForwardMessage() | Channel (channelId): Write |
GetUnreadMessagesCounts() | UUID (currentUser): Get Channel: Read - for all channels where the user has memberships |
MarkAllMessagesAsRead() | UUID (currentUser): Get, Update Channel: Write, Join - for all channels where the user has memberships |
GetCurrentUserMentions() | Channel (channelId of the mention event, userId): Read |
CreateThreadChannel() | Channel (PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken): Get |
GetThreadChannel() | Channel (PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken): Get |
RemoveThreadChannel() | Channel (PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken): Get, Delete Channel (parentChannelId): Delete |
Channel object methods
Chat SDK method(s) | Resource: Permission |
---|---|
Update() | Channel (channelId): Update |
Connect() | Channel (channelId, channelId-pnpres): Read |
Join() | Channel (channelId): Read, Join, Write Channel (channelId-pnpres): Read UUID (currentUser): Get, Update |
Disconnect() | Channel (channelId, channelId-pnpres): Read |
Leave() | UUID (currentUser): Update Channel (channelId): Join, Read Channel (channelId-pnpres): Read |
DeleteChannel() | Channel (channelId): Delete |
SendText() | Channel (channelId): Write Channel (userId): Write - for every mentioned user |
WhoIsPresent() | Channel (channelId): Read |
IsPresent() | No permissions required. |
SetRestrictions() | Channel (PUBNUB_INTERNAL_MODERATION_channelId): Manage, Update Channel (PUBNUB_INTERNAL_MODERATION.userId): Write |
GetUserRestrictions() | UUID (userId): Get |
GetUsersRestrictions() | Channel (PUBNUB_INTERNAL_MODERATION_channelId): Get |
GetHistory() | Channel (channelId): Read |
GetMessage() | Channel (channelId): Read |
GetMembers() | Channel (channelId): Get |
Invite(user) | UUID (userId): Update Channel (channelId): Get, Write, Join Channel (userId): Write |
InviteMultiple(user[]) | Channel (user[]): Write Channel (channelId): Manage, Write, Join UUID (user[]): Get, Update |
StartTyping() | Channel (channelId): Write |
StopTyping() | Channel (channelId): Write |
GetTyping() | Channel (channelId, channelId-pnpres): Read |
PinMessage() | Channel (channelId): Update |
UnpinMessage() | Channel (channelId): Update |
GetPinnedMessage() | Channel (channelId): Read |
ForwardMessage() | Channel (channelId): Write |
EmitUserMention() | Channel (userId): Write |
GetUserSuggestions() | Channel: Get |
StreamUpdates() | Channel (channelId, channelId-pnpres): Read |
StreamUpdatesOn(channel[]) | Channel (channelId[], channelId-pnpres[]): Read |
StreamPresence() | Channel (channelId, channelId-pnpres): Read |
StreamReadReceipts() | Channel (channelId): Get, Read Channel (channelId-pnpres): Read |
GetMessageReportsHistory() | Channel (PUBNUB_INTERNAL_MODERATION_channelId): Read |
StreamMessageReports() | Channel (PUBNUB_INTERNAL_MODERATION_channelId, PUBNUB_INTERNAL_MODERATION_channelId-pnpres): Read |
User object methods
Chat SDK method(s) | Resource: Permission |
---|---|
Update() | UUID (userId): Update |
DeleteUser() | UUID (userId): Delete |
WherePresent() | No permissions required. |
IsPresentOn(channelId) | No permissions required. |
SetRestrictions() | Channel (PUBNUB_INTERNAL_MODERATION_channelId): Manage, Update Channel (PUBNUB_INTERNAL_MODERATION.userId): Write |
GetChannelRestrictions(channelId) | Channel (PUBNUB_INTERNAL_MODERATION_channelId): Get |
GetChannelsRestrictions() | UUID (userId): Get |
GetMemberships() | UUID (userId): Get |
StreamUpdates() | UUID (userId, userId-pnpres): Read |
StreamUpdatesOn(user[]) | UUID (userId[], userId-pnpres[]): Read |
Membership object methods
Chat SDK method(s) | Resource: Permission |
---|---|
Update() | UUID (userId): Update Channel: Join |
SetLastReadMessageTimetoken() | UUID (userId): Update Channel: Write, Join |
SetLastReadMessage() | UUID (userId): Update Channel: Write, Join |
GetUnreadMessagesCount() | Channel (channelId): Read |
StreamUpdates() | Channel (channelId, channelId-pnpres): Read |
StreamUpdatesOn(membership[]) | Channel (channelId, channelId-pnpres): Read |
Message object methods
Chat SDK method(s) | Resource: Permission |
---|---|
EditText() | Channel (channelIdOfTheChannelTheMessageWasSent): Write |
DeleteMessage() | Channel (channelIdOfTheChannelTheMessageWasSent): Write |
DeleteMessageHard() | Channel (channelId): Delete Channel (threadChannelId): Get, Delete - if the message has a thread attached |
Restore() | Channel (channelIdOfTheChannelTheMessageWasSent): Delete |
Pin() | Channel (channelId): Get, Update |
Unpin() | Channel (channelId): Get, Update, Read |
ToggleReaction() | Channel (channelId): Write, Delete |
Forward(channel) | Channel (channelId): Write |
Report() | Channel (PUBNUB_INTERNAL_MODERATION_channelIdFrom Message): Write |
StreamUpdates() | Channel (channelId, channelId-pnpres): Read |
StreamUpdatesOn(message[]) | Channel (channelId, channelId-pnpres): Read |
CreateThread() | Channel (PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken): Get |
GetThread() | Channel (PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken): Get |
RemoveThread() | Channel (PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken): Get, Delete Channel (parentChannelId): Delete |
QuotedMessage() | Channel (channelId): Get, Read |
ThreadChannel object methods
Chat SDK method(s) | Resource: Permission |
---|---|
SendText() | Channel (parentChannelId): Write Channel (threadChannelId): Write, Update Channel (mentionedUserIds): Write |
GetThreadHistory() | Channel (threadChannelId): Read |
PinMessageToThread() | Channel (threadChannelId): Update |
UnpinMessageFromThread() | Channel (threadChannelId): Update |
PinMessageToParentChannel() | Channel (parentChannelId): Get, Update |
UnpinMessageFromParentChannel() | Channel (parentChannelId): Get, Update |
EmitUserMention() | Channel (userId): Write |
ThreadMessage object methods
Chat SDK method(s) | Resource: Permission |
---|---|
PinToParentChannel() | Channel (parentChannelId): Get, Update |
UnpinFromParentChannel() | Channel (parentChannelId): Get, Update |
StreamUpdates() | Channel (threadMessageChannelId, threadMessageChannelId-pnpres): Read |
StreamUpdatesOn(threadMessage[]) | Channel (threadMessageChannelId, threadMessageChannelId-pnpres): Read |
MessageDraft object methods
Chat SDK method(s) | Resource: Permission |
---|---|
Send() | Channel (channelId): Write Channel (userId): Write - for every mentioned user |