Udf abac escalation

Hi there.
Can I use the Login function from within a UDF?
This is because I want every resource under ABAC, but I want browsers only be able to call UDFs.
So I put UDFs under role A in abac, and authenticate browsers with it.
But I want normal collections (say my domain data) under abac role B.
So I want my UDFs to be called from a role A then escalate to B.
Is this possible?
This would mimic very much a rest endpoint…

I’m not entirely sure what you are asking but:

  • Tokens() have identity, the identity is maintained within a UDF.
  • You could say that that token can only call a UDF.
  • UDFs can have a role, that means that role information provides elevated permissions to the UDF.

This would essentially mean a role A can call the UDF, the UDF has a role attached to it on creation which means it escalated to B. I think that’s what you are asking right?

There are examples in this application: Rethinking Twitter as a Serverless App | Fauna Documentation