Problem with app security when I share it

jean-mi · 06-21-2023 04:41 AM

Hello,

I share my application with another user.
I selected: view definition (to protect access to the definition) and just "User".

As you can see in the image below, it doesn't have access to columns etc... that's fine

But he can copy the application and then recover the data and the definition in the copy. He can therefore circumvent the security rule put in place.

Something escapes me...

How to prevent application copying?

thanks for reading
An idea ?

Suvrutt_Gurjar

@jean-mi wrote:

I selected: view definition (to protect access to the definition) and just "User".

Please try "Use app" instead:

Please carefully go through the article

Share: The Essentials - AppSheet Help

Since this is related to important topic app accesses , please do test very well and satisfy yourself or take help of the AppSheet support team or community if you have still any queries or still observe any discrepancy in the app sharing behavior..

jean-mi

@Suvrutt_Gurjar wrote:
Please try "Use app" instead:

if I do this, the user no longer has access to the definition.

I just want it to not be able to copy the app.
But that he can deploy it (it's not possible)

Let him put his credit card for invoicing.

Suvrutt_Gurjar

Got it. Your observation is correct. A user with 'Can view definition" seems to be able to copy the app along with the back end data.

I believe , yes, the description of 'Can view the app definition" can be more accurate to avoid any ambiguity in understanding.

@lizlynch

As this post thread discusses , if a user has been granted "can view the app definition" rights while sharing the app, it seems that user can copy the app definition into a new app along with the backend data. I tested the behavior and copying is possible.

Request you to discuss with the development team and possibly make the description in the help article clearer if that is the intended behavior. On the face of it. generally one could assume that the right of "can view the app definition" will not allow the said user to copy the app along with the data.

ninjatest

.

lizlynch

Thank you for the question and @Suvrutt_Gurjar thank you for tagging me. I have clarified the article to make it more clear that users can copy the app in this case. @jean-mi I would suggest submitting a feature request if this is an important use case (aka, deploy app, but do not allow copy).

Thank you!

jean-mi

Thanks @Suvrutt_Gurjar & @lizlynch

Yes I think it is important and that we must leave the choice to the owner of the application to choose whether we can copy it or not.

Today research and development requires time and money. We can share and authorize the copy through our portfolio of part of our work or copy a template provided by Appsheet to study and enrich ourselves.

But in the case of a customer relationship, it's different. A developer may use certain tables to control the application or have personal data there and not want to share it with his client.

Thank you

Suvrutt_Gurjar

Hi @jean-mi ,

Your suggestions are valid. As @lizlynch mentioned, please raise a feature idea request.

Hope development team will take it up in due course of time.

WillowMobileSys

@jean-mi wrote:

Yes I think it is important and that we must leave the choice to the owner of the application to choose whether we can copy it or not.

Today research and development requires time and money. We can share and authorize the copy through our portfolio of part of our work or copy a template provided by Appsheet to study and enrich ourselves.

I responded in the Feature Idea but thought I'd repeat here.

My understanding is the the op wants a user to have "View Definition" access but then not allow copy of the app to that user. Even if a copy action in the platform was not allowed, a user can still open a separate tab under their own AppSheet Account, create a blank app and then manually copy over the complete app definition.

It seems maybe the intent is to give a customer certain app creator abilities WITHOUT "View Definition" access at all. Maybe a new permissions set is needed? But care must be taken as this straddles some of the current security walls put in place.