This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Restricting Data Access

Posted on 09-10-2022 06:24 AM
David2
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hello,

Ive created an app which stores projects and information for these projects in one table.

I currently have slices set up and have views as follows;

Projects - Sales - In Progress

Projects - Sales - Complete

Projects - Production - In Progress

Projects - Production - Complete

Projects - Accounts - In Progress

Projects - Accounts - Complete

This allows me to manage a project from start to finish, ie, sales to production to accounts, along with providing some users only access to in progress work and other users access to in progress and complete work.

However, I'm wondering whether there could be a better way to go about this. Is running 6 slices from the projects table going to affect sync long term?

Can I achieve a similar setup with security filters? Allowing me to perhaps create a single filter and just display the projects table where each users email provides and restricts access.

Chasing some suggestions here with this. I also look to create Google Groups and add users to one or more groups, and use the group email addresses for access, can this be done without issues?

I'm a little unsure mostly as to where slices and security filters are best used.

Thanks,

David.

0 6 161
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
SkrOYC
Gold 5
Gold 5
Reply posted on --/--/---- --:-- AM
@David2 wrote:

Is running 6 slices from the projects table going to affect sync long term?

Afaik, slices has nothing to do with sync time

@David2 wrote:

Can I achieve a similar setup with security filters? Allowing me to perhaps create a single filter and just display the projects table where each users email provides and restricts access.

I assume that if you are asking about this is because you don't understand how security filters work, so take a look at the docs

@David2 wrote:

Chasing some suggestions here with this. I also look to create Google Groups and add users to one or more groups, and use the group email addresses for access, can this be done without issues?

You should be able to use USEREMAIL() no matter the way they access your app

@David2 wrote:

I'm a little unsure mostly as to where slices and security filters are best used

Again, read the official docs, that's the best source of true when it comes to AppSheet.
Slices provide a convenient way to filter datasets that are downloaded from the backend, security filters filter which data is downloaded from the backend

Posted on --/--/---- --:-- AM
David2
Silver 1
Silver 1
In response to SkrOYC
Reply posted on --/--/---- --:-- AM

Thanks for your reply, I've had a look into this, learnt a bit more about it and restructured my app a bit to allow for security filters to work better with the data in the app.

I've succesfully been able to restrict rows in several views, allowing only the users that have entered the information to view their records. This works really well in views like the Timesheet view.

But it now brings a new question to the table, if I wanted to provide certain users access to view all timesheets, regardless of who they're signed in as, how could I do this?

I've considered my best approach would be to use groups, Users get assigned to one or more groups, and the groups provide access to certain views, and data within the views.

For this, I have my Staff table, a Groups table and and an interconnecting table, which I use to assign a staff to multiple Groups

The Interconnecting table below, the referenced Staff field automatically inputs the email from the Staff table, the referenced Group field automatically inputs the email from the Group table.

Capture3.PNG

The Groups table Below

Capture.PNG

So, I've got to this point, watched a few videos on youtube and read a few docs, tried a few things but can't really picture how apply a security filter that makes this work. This requires, in my mind with my limited experience, the requirement to show a user only their rows, based on the signed in email, but also provide access to a signed in email address, if it is assigned to a Group Email.

I'm finding the concept a little confusing, and at this point, a little unsure if what I'm trying to produce is possible, and if it is, whether I'm doing it incorrectly.

Any help would be greatly appreciate to achieve this.

Thank you.

0 Likes

Posted on --/--/---- --:-- AM
dbaum
Gold 4
Gold 4
In response to David2
Reply posted on --/--/---- --:-- AM

You can definitely accomplish what you're envisioning.

In terms of security filters, the group email is probably irrelevant.

You probably want to create security filter expressions that check one of the following:

  • whether the user's email is in the list of emails for a pertinent group
  • whether the user's record includes a pertinent group in the Group column

ICYMI:

Posted on --/--/---- --:-- AM
David2
Silver 1
Silver 1
In response to dbaum
Reply posted on --/--/---- --:-- AM

Thank you for your answer, I'll have a look through those links tonight and see what I can get to work.

In terms of the data structure to make this work, could you advise what would be best? I see you've mentioned the group email being irrelevant, and the more I think of it, you're right, it's probably adding additional work that's not required.

Keeping in mind that a staff could be assigned to one or more groups - If I had my staff table, and my Groups table, what would you suggest for connecting these?

Do you believe my interconnecting table, which is in the images above is suitable? The interconnecting table allows me to input a user, their email (which auto populates from the staff table), a group and the group email (which auto populates from the group table, but as we've said is most likely irrelevant). More importantly, it allows me to add several records for a user placing them in several groups, if required, without using an EnumList Ref multiple select field, which I couldn't imagine working.

This essentially, creates a table where I have the staff name, email and group. Which I can use to reference in the security filter, hopefully.

Could you see any drawbacks or issues here? Thanks again for your previous answer.

0 Likes

Posted on --/--/---- --:-- AM
dbaum
Gold 4
Gold 4
In response to David2
Reply posted on --/--/---- --:-- AM
@David2 wrote:

If I had my staff table, and my Groups table, what would you suggest for connecting these?

As you reference elsewhere in your post, there are essentially 2 available approaches. Either should be feasible.

  • Your current approach of using a join table. All you should need there are 2 columns--staff ID and group ID. Create a row for every assignment of a single staff to a single group.
  • Use an Enumlist type field in the staff table to select for each staff all the assigned groups.

In either case, the IN function I mentioned would be applicable--e.g., to check whether a group with elevated permissions is IN the list of groups for the current user.

Posted on --/--/---- --:-- AM
Steve
Platinum 4
Platinum 4
Reply posted on --/--/---- --:-- AM

Limit users to their own data - AppSheet Help

Limit users to particular tables, views, and actions - AppSheet Help

Top Labels in this Space