Custom permissions in Shared Cloud
Introduction
Custom permissions are intended primarily for AGS Shared Cloud customers who create Custom APIs using Extend Service Extension and want their players (via Game Client) or Game Servers to access those Custom APIs.
Besides the built-in permissions provided by AGS service APIs, studio admins in Shared Cloud cannot freely add arbitrary permissions for their players or Game Servers. Any custom permission must follow a predefined format to:
- Prevent collisions with AGS built-in permission strings.
- Prevent inadvertent access — ensure Studio Admins cannot grant access to AGS resources or resources owned by other studios outside their intended scope.
If you are on Private Cloud, there is no need to utilize custom permissions. Private Cloud does not have the same multi-tenant restrictions, so you can define permissions freely without following the custom permission format described in this article.
Custom permission format
Custom permissions follow the same pattern and underlying fundamentals as described in the Permission Fundamentals guide, with one key difference: custom permission must begin with a predefined prefix. There are two formats available, depending on the purpose of endpoint your Extend App exposes: Admin permission format and Public permission format.
Permission resource
- Admin permission format
- Public permission format
Use the Admin format if your Extend App exposes admin utility endpoints (e.g. called by a Game Server or custom backend service using a client credentials token).
CUSTOM:ADMIN:NAMESPACE:{namespace}:<OBJECTNAME>
-
<OBJECTNAME>is a placeholder that you define based on your own implementation — it represents the custom resource your Extend App exposes. For example:CUSTOM:ADMIN:NAMESPACE:{namespace}:PROGRESSION:CLAIMS
CUSTOM:ADMIN:NAMESPACE:{namespace}:USER:{userId}:PROGRESSIONS
Use the Public format if your Extend App exposes player-facing endpoints (e.g. called using a player access token from the Game Client).
CUSTOM:NAMESPACE:{namespace}:<OBJECTNAME>
-
<OBJECTNAME>is a placeholder that you define based on your own implementation — it represents the custom resource your Extend App exposes. For example:CUSTOM:NAMESPACE:{namespace}:PROGRESSION:CLAIMS
CUSTOM:NAMESPACE:{namespace}:USER:{userId}:PROGRESSIONS
Although the chosen permission format ultimately depends on your implementation, following this Admin/Public format separation is recommended as a best practice. It keeps your permission design aligned with how AGS itself structures its built-in permissions.
Permission actions
Permission Actions describe what the permission enables a user or application to do with a resource. Custom permissions support the same actions as built-in AGS permissions: Create, Read, Update, and Delete.
Granting custom permissions
Once you have defined the custom permission in your Extend App, you can grant those custom permissions to the appropriate principal:
- To grant custom permissions to a Player (via Default User Role Override): See Add custom permission to Default User Role.
- To grant custom permissions to a Game Server or Custom Backend (via Confidential IAM Client): See Add and edit IAM client permissions.