Control access to services
To store a player’s information, you need an identifier for the player. Unity Gaming Services (UGS) requires players to authenticate to access most features for security and identification. The authentication process means that if the same player signs in to your game through the same provider on a new device, the player has the same playerId, which also allows you to synchronize their game data between devices.
By default, UGS allows player applications to call API endpoints directly, which you can use to test. Server authority principles recommend that you restrict direct player access and only allow updates through trusted server code. This means that the player client acts as a presentation layer while Cloud Code validates integrity and stores the accurate game state data.
To disable player API access at the endpoint level, you can use access control. You can use access control to only allow calls to backend services through Cloud Code functions. You can also use a project’s service credentials to grant access to a server.
A good place to start with access control is to disallow writes from the client, but allow reads. This means that updates will go through Cloud Code, but the client can get the latest state directly from the service, which will reduce Cloud Code costs. The following access control configuration will:
- Deny clients writing directly to Cloud Save, but allow reads and queries
- Deny clients writing directly to players inventory or currency in Economy, but allow reads and purchases which are alreay server authoritative.
- Deny clients adding a score to a leaderboard, but allow reads to get leaderboards and leaderboard scores
- Deny clients updating their player name, but allow reading their player name
{
"$schema": "https://ugs-config-schemas.unity3d.com/v1/project-access-policy.schema.json",
"Statements": [
{
"Sid": "deny_access_to_cloud_save_writes",
"Action": [
"Write"
],
"Effect": "Deny",
"Principal": "Player",
"Resource": "urn:ugs:cloud-save:/**",
"Version": "1.0.0"
},
{
"Sid": "allow_access_to_cloud_save_queries",
"Action": [
"Write"
],
"Effect": "Allow",
"Principal": "Player",
"Resource": "urn:ugs:cloud-save:/**/query",
"Version": "1.0.1"
},
{
"Sid": "deny_access_to_economy_writes",
"Action": [
"Write"
],
"Effect": "Deny",
"Principal": "Player",
"Resource": "urn:ugs:economy:/**",
"Version": "1.0.0"
},
{
"Sid": "allow_access_to_economy_purchases",
"Action": [
"Write"
],
"Effect": "Allow",
"Principal": "Player",
"Resource": "urn:ugs:economy:/**/purchases/*",
"Version": "1.0.0"
},
{
"Sid": "deny_access_to_leaderboards_add_score",
"Action": [
"Write"
],
"Effect": "Deny",
"Principal": "Player",
"Resource": "urn:ugs:leaderboards:/v1/projects/*/leaderboards/*/scores/players/*",
"Version": "1.0.0"
},
{
"Sid": "deny_access_to_player_name_updates",
"Action": [
"Write"
],
"Effect": "Deny",
"Principal": "Player",
"Resource": "urn:ugs:social:/v1/names/*",
"Version": "1.0.0"
}
]
}If there are other services you would like to block client access to, the URNs for each serivce are listed in the Access Control page.
For an example of how to use access control, refer to the page on how to Get started with Access Control and Cloud Code.
Integration with UGS services
Cloud Code integrates seamlessly with other Unity Gaming Services (UGS), such as Remote Config, Cloud Save, and more, to build complete backends. Some UGS services generate trigger events sent to the Triggers service when specific actions occur.
If you have a server authoritative game, clients have no ability to create events. This means that events like triggers are always created on the server and you can trust the data.
For more information on how you can use triggers and other events in you game, refer to Triggers.