Security Annotations

Squizy provides several annotations that control access at the entity and field level. These annotations work together with the RBAC system to enforce fine-grained authorization rules.

For a complete reference of all Squizy annotations (including non-security ones), see Annotations.

@AdminOnly

The @AdminOnly annotation marks entities that should only be accessible by the Admin role when using the default roles. It determines which authorities are included in each default role during creation.

See Default Roles → The @AdminOnly Annotation for full details, including behavior when customizing roles.

@SensitiveField

Reading sensitive fields requires the readSensitive authority for the entity. When a user without this authority reads an entity, sensitive fields are returned as masked or null values.

Custom authority names can be specified per field, allowing more granular control:

@SensitiveField(authorityName = "readOrderCardNumber")
private String cardNumber;

With a custom authority name, you can grant access to one sensitive field without granting access to all sensitive fields on the entity. The custom authority must be created and assigned to the relevant roles.

See @SensitiveField for the full annotation reference.

@OwnerField

The @OwnerField annotation restricts entity visibility based on record ownership. The owner field is automatically set to the authenticated user's identity during creation and cannot be modified.

The filtering behavior is controlled by the visibleByOthers attribute:

visibleByOthers = false (default)

@OwnerField
private String createdBy;

Query results are filtered so that every user — including administrators — only sees records where the owner field matches their identity. There is no admin bypass; the filter applies universally.

visibleByOthers = true

@OwnerField(visibleByOthers = true)
private String createdBy;

No ownership filter is applied. All users can see all records regardless of the owner field value. The field still tracks who created the record, but it does not restrict visibility.

This is useful for multi-tenant scenarios, personal dashboards, or any case where users should only manage their own data.

See @OwnerField for the full annotation reference.

TIP

For detailed usage of each annotation, see the Annotations Reference.