Security, User Permissions

Behram_BASHIR · 10-29-2020 12:30 PM

Need some help in setting up a security/user permissions on tables.

The app I am working on will deal with various offices, each office can have multiple managers, multiple supervisors under the managers, and multiple employees under the supervisors.

I am trying to setup security filters on tables such that an employee will not be able to see data of anyone else except for their own. A supervisors will only see data of her/his reportees. A manager will only see the data of her/his supervisors and the data of the supervisors’ reportees.

In my research I came across May 19, 2020 Office Hours, at 48 minute mark one of the hosts says they recommend not using the security filter expression method to secure an app. So my question is what’s the best way to tackle this task? I have setup a user table setup, which contains columns that define user’s email, office, the n+1, location in the organizational hierarchy, etc…don’t know where to go from here. Any help would be appreciated.

Marc_Dillon

For reference: https://youtu.be/N35UyIivHxY?t=2820

You are misunderstanding what they said in the video. You definitely should be using Security Filters for your case here. This is a case of them using a poor example to introduce security filters, with a large and non-trival expression, and then just talking about how bad of an example it is. Though the expression that they are showing is a good example of something probably similar to what you should be using.

I would start here:

Aleksi

You could probably also use the Horizontal technique with the Security Filter.

Behram_BASHIR

I really like the horizontal scaling. Going to put it in use. Hopefully it goes smoothly.
Thank you @Marc_Dillon & @Aleksi

Behram_BASHIR

I have found the fix.

[Email] was showing a key value, not actually an email address, since its an ref column. [Email].[Email], which referred to the column containing the email in the ref table gave me the actual email.

The solution:

SWITCH([Email].[User Role],
“User”, [Email].[Email] = USEREMAIL(),
False
)

Hi all,

I have hit an expression issue. I found a post that dealt with the same issue but it’s solution did not help. (UX --> Show If --> USEREMAIL() with a column)

I am trying the following as a security filter in table “Log” which contains “Email” which refers to table “People” that contains the column “User Role”.

SWITCH([Email].[User Role],
“User”, [Email] = USEREMAIL(),
False
)

And got the same error as OP of the post from the link above. I tried using: “User”, IN(USEREMAIL(),Log[Email]) But got the error “The filter expression cannot reference the table being filtered.”

Any tips/hints/advice to get over this hump?

OptimiX_XcrY

In a similar case, I build the supervisor app , and then I created two copyies of this app and edited them and simplified them for lower departments. It helped in terms of performance and easy maintanance

In your case, I would build three apps

Behram_BASHIR

Performance is an interesting point. I was just thinking about how much slower my app is right now.

Did you by any change create one app where people log in, and based on their level they get forwarded to another app using deep links?

OptimiX_XcrY

I am not good with deeplinks.

But I did build a main app as an app portal (all users have access) , but if they click on an app they don’t have access, it just won’t work (of course, a smarter way would be to just hide some app icons for some users).

PS: the top 3 apps is the same app for three departments