So from this topic, it looks like you can have a single read only account across all devices and still count it as 1 active user. What I want is to have 1 Kinvey User have read only access and then the other Kinver Users have their normal read + write access. How do I do this? I could probably block that specific user in every onPre___ hook, but that seems hacky and nor do I have that many BL scripts available.

To clarify, my tables have private access so that read only account won't be able to access other user's entities. However, they will be able to save their own entities which makes them no longer a read only user that can count as 1 active user.

Hi Gary,

You could use ACLs (http://devcenter.kinvey.com/rest/guides/security#entityanduserpermissions), and add this user (or a group to which this user belongs) as a reader to every entity you create. You could either do this through your app whenever an entity is created, by modifying the ACL through BL.

 

I know I can achieve that through BL, unfortunately I don't have that many BL scripts available since I currently only have a max of 5 scripts. I already have safeguards against this in my app but I can't rely on that as that is client side and there is no way I can stop a hacker from decompiling my app and then disabling whatever safeguards I put. Besides, even if I add this user as read only to every entity, I don't see how this prevents this user from performing a write operation by saving their own entities. To clarify, I only need to limit this user to read only because Kinvey allows a read only user across all devices but not one that writes. I don't need this for security reasons, this user can read or write their own entities all they want, it doesn't affect my other users' entities that have private access. Is there an email I can reach you guys at so I can discuss what exactly I want to do?

Hi Gary,

You're right that this wouldn't prevent the user from creating new entities. However, I'm not very clear on the reason this is a problem for you, especially since you say "this user can read or write their own entities all they want". Can you elaborate on why you need a user that not only has read-only access to all entities, but also cannot create their own entities?

 

As for email support, I'm afraid that it is only available for paid usage tiers.

From the topic I linked, it seems that Kinvey will allow you to use an account across all devices and users if that account only performs read operations. So I assume that if that user account performs a write operation, then that no longer applies and breaks the TOS. 

Hi Gary,

I believe the topic you linked mentions a read-only user simply because the app in question would not create *any* users (besides the single account), and when your app has only use a single user with full access, there might be complications (merge conflicts are the most obvious).

Our terms of service do not enforce in any way the level of access to your data which you choose to grant a user of your app.

I am worried about violating the TOS for having way too many devices using a single Kinvey user account. This is a question I asked a few months ago:

Gary: If multiple people using a single Kinvey Acc is allowed, theoretically, what is stopping me from signing in all my users under one single Kinvey Acc and having a separate column that indicates which entity belongs to which user? That way even if I had 1 billion users, I would still be able to stay under 100 active users but still tax Kinvey's servers with 1 billion users' requests.

Damien Bell: There is nothing stopping you from doing that, but we do monitor user account activity.  If we feel as though you are violating the terms of service we can lockdown your application without warning.   Use of service accounts or allowing sync of a single account across multiple devices is totally allowed within reason.   There is no arbitrary amount of devices where we say "that's the limit", but it would be pretty clear if someone was abusing it.   The average user on Kinvey has 1-2 devices paired with their account, which is reasonable.

If an app had 1000 users but each user had 5 - 50 devices, we would be extremely skeptical that they weren't in violation of the TOS.

Source

I am not sure if hackers decompiling my app and removing my safeguards would be considered a violation as I am not doing it maliciously.

Hi, I am still waiting for an answer.

Gary, 

We don't actively monitor for this type of activity and we've never heard of this happening to any user.  It's theoretically possible but we'd likely base TOS violations on API usage and the strain that you put on the system.   If we detect abnormal activity we will ask you about it before suspending your application.  There are very few people that get questioned or notified about their usage unless we feel they are using the platform incorrectly.

Thanks,