Skip to main content


Auth records reference a group of roles. Roles, in term, reference a group of rules.

We'll look at the predicates in rules one-by-one in order to understand whether they'll be triggered by a given transaction. Just because a rule belongs to the auth record that is issuing a transaction does not mean that that rule will be triggered.

The first two predicates are straightforward:

  1. _rule/id: Unique identifier for this rule.

  2. _rule/doc: Docstring for this rule

    This next predicate is required:

  3. _rule/collection: The name of the collection this rule applies to.

    If this predicate's object is chat, and a given transaction does not have anything to do with the chat collection, then this rule does not apply.

  4. _rule/collectionDefault: True or false. Is this rule the default for a given collection?

    If this is set to true, then the smart functions attached to this rule are triggered for any transaction that includes the chat collection, regardless of what predicates are being edited.

    If a more specific rule exists (i.e. a rule for chat/person specifically), then the more specific rule applies.

  5. _rule/predicates: A list of predicates this rule applies to.

    If you've already specified _rule/collectionDefault as true, then you shouldn't list any predicates here. However, if collection default is false, we might list predicates like: ["chat/person", "chat/message"]. This would mean that any transactions that involve the chat/person predicate or the chat/message predicate would trigger the smart functions attached to this rule.

  6. _rule/fns: Reference to functions

    If this rule applies for a given transaction, the smart functions referenced in this predicate would run. If any of the smart functions return false, then the transaction is rejected.

  7. _rule/ops: What operations this rule applies to. Possible tags: query, transact, token, logs, all.

    For the use case we've discussed in this lesson, transact is the relevant operation.

  8. _rule/errorMessage: If a rule prevents a transactions from executing, a custom error mesage can be returned to the user.

For the example, we're going to pretend that we have an auth with certain roles and rules. The below syntax is just a shorthand way of explaining the auth structure- it is not valid Fluree syntax!

Auth Record:



rulesrule1, rule2


ruleFns[ false, true, true, false ]


ruleFns[ true, true, true ]