How do the CloudKit security roles and permissions work?

Question

There are three default security roles in CloudKit:

• World
• Authenticated
• Creator

Answer 1

1) How do these security roles and permissions work? You set them on the dashboard in the Development environment.

2) What do the three roles mean? The first two seem obvious, but the last one seems less so. E.g. does Creator refer to the creator of the table, or the creator of a record? - Creator of the record (and that means all devices that access CloudKit with the same iCloud Account)

3) Where would the deletion permission fall under? Write? YES

4) Can security roles be applied to individual records? NO

5) (E.g. I want a user to have access to only a subset of the records in the InstantMessages table: the ones they send, and the ones they receive. Can something of this nature be done via security roles?) What does 'access' mean? A user can only read things that your app allows them to read and that they have read permission. A user can only create or write (and delete) records that your app lets them create or modify (and delete) and that they have create or write permission - it takes both.

6) Are permissions inherited? (E.g. Does the creator get all permissions granted from creator, authenticated, and world?) Roles are subsets of the other - a creator is a subset of authenticated. authenticated is a subset of world.

7) Are permissions....programmatically? Permissions go to the broad class "creator" "authenticated" "world" so you can't set permission user-by-user (except that the user who creates a record is the only creator).

But key to all of this is to remember that it takes your apps code to grant create/read/write to a record AND the particular user must have that permission. So you can do anything you want in code to allow anyone to do anything - provided you granted "Authenticated" the right to "write"