Add Security with Channels

      Channels and their part in data routing and access control for secure cloud-to-edge enterprise data synchronization.


      Channels make it easy to share a database’s documents across a large user base while retaining effective access control. They serve as a security conduit between the document and a user:

      Access Control using Channels
      Figure 1. Channels in Access Control

      Conceptually, the channel can be considered as a tag associated with a document. Every document processed by the App Service is assigned to a channel.


      Every document in the database is assigned a list of channels it is distributed to. Every user (or role) is granted access to a list of channels. This dual-purpose is reflected in the way you use channels:

      • By granting a user access to a channel, you are imposing access control.

      • By assigning a document to a channel you are imposing document routing.

      You typically will use channels to:

      • Control who can access what

      • Partition your dataset

      • Enable users to access just the documents they need.

      • Minimize the amount of data synced to mobile devices.

      An App Service supports two types of channel:

      Admin Channels

      Admin channels are assigned statically. Admin channels can be set up through the Capella UI from the App Endpoint Security  App Users  Create App User page:

      Creating a channel from the user screen
      Figure 2. Creating a new channel for a user

      Admin channels can also be created through the REST Admin API by calling /{db}/_user/ endpoint, including a section in the JSON message to create the channels:

        "name": "string",
        "password": "string",
        "admin_channels": [    (1)
        "admin_roles": [
        "email": "string",
        "disabled": false
      1 Place channels in the admin_channels section.

      The channels can also be updated through a call to update the user: /{db}/_user/{username}

      Other Channels

      Non-admin channels can be assigned dynamically through the App Endpoint Security  Access and Validation function:

      Assigning document to channel with Javascript access control function
      Figure 3. Assigning document to channel through Access Control/JavaScript

      These channels are created and allocated dynamically as documents are created and modified. Once a channel is allocated to an App User, it will be displayed under "Other Channels".

      Further Reading