roles Multiple users need to access only some rows (with ovelrapping use of roles)

[vidierre]

I have a lot of tables with the company field. Nowwhat I am looking for is an authorization mechanism allowing users to see only some companies.

But I have two issues:

1) If I look into row level restricions I have this scenario: Some users should see onlt companies A, B, C; others shoudl see B, C, D; others hace to see A, D, E, F and others all companies.  I read this Restrict Access to Data by User or Role but it seems very poor because it do not seems roles restriction, rather a data partitioning where each partition is allowed to some users. This bring up to a some  limitations in others scenarious and a huge amount of data handling when users changes roles.

2) If I look into user roles restriction I do not understand how assign mor than one role to a users. In the artivle I mentioned before I seems to me that roles are implemented with DIFFERENT LOGIN SCREEN. I think tihi is a misunderstanding of mine, because this is not roles handling. This is multiple access.

Let me make an example: You go into a PUB where room A and room B are reserved for two different parties and the remaining place is for everyone. Very likely you will enter in ONE pub entry  and then you'll find a PUB clerk that after asking your name, check if it is on a party list and address you in the proper room or in the public ones.
This organization DO NOT CHANGE even if there are more parties or none, the only thing changing is the clerk list (role assignment list). INSTEAD I have understodd that in CASPIO the PUB should open and briklayer doors according parties it hosts! It seems very strange to me develop a new loging page for each roles and instruct users to change login page for each role they have.....

I miss something? How can handle overlapping roles and more inportant how can handle user's roles changes without changing data into all tables?

 

 

[CoopperBackpack]

Hello @innov2e,

I am not sure, but maybe this Forum post is helpful 

 

[vidierre]

1 hour ago, CoopperBackpack said:

Hello @innov2e,

I am not sure, but maybe this Forum post is helpful 

 

Hi @CoopperBackpack yes this address the issue of give access of partition of data to users and allow to overlap their acces. But is hawful to manage: when I add/change/deleta a role I must keep trak of all tables where it is used because i nedd to "mark the records to which group they belongs". This is very far from a roles native support.
Roles are useful in a lot of scenarious i.e. in this post

There is another scenarious but it is not handled is demanded do custom code that you need to update every role changes.

More deep I read and more I believe that roles management is the weak side of CASPIO.

I read also about SAML (that imply a big money cost i term of CASPIO plan) but any role handling inside the CASPIO app seems again to be done with coding ad-hoc.

I wonder because even Airtable (that in my opinion is far from CASPIO) has a little role based functionality into its core (see gif below).  Even if they miss too any read restrictions (there are requests to implement it)

[JonSmith]

I am quite new to Caspio but this topic is so important that is the first thing I am trying to resolve.  For example, for confidentiality we need:

Client A     Accessible by All Users

Client B     Accessible by User1 and User3

Client C     Accessible by User1 and User2

Client D     Accessible by User1 only.

When I'm more experienced with Caspio I may find a better workaround, but at present I am thinking along the lines that every Client Record should contain a Field for User1, a Field for User2, etc, leading to View for each User, leading to a Page showing records available to that User based on their login.  This last part is described in the "Getting Started Videos" here:

https://howto.caspio.com/getting-started-videos/video/?cbResetParam=1&vid=E29B3E10627343568BD74ACAB5C90873&menu=menu-item-27528&title=Intermediate Training - App Architecture & Authentication

If anyone more knowledgeable could suggest a better approach I would be grateful.  If I devise a workable solution I shall post it here.

Edited November 25, 2021 by JonSmith
clarity

[Kurumi]

Hi @JonSmith - are you planning to add more clients in the future? or are all those static? 

[JonSmith]

Hi @Meekeee,

Yes, client numbers will change over time, but (if this is what you have in mind) changes to Client will not be frequent or in large numbers, so that adding User data manually to each new Client is easy enough.

[vidierre]

@JonSmith I made a workaround, but it was possible only because I publish Caspio pages into a Wordpress site (I do not know if it is your case). I devolped this:

1) My users authenticate themselves to Wordpress and Caspio app has no authentication.
2) I added a wordpress custom field into user's profile
3) Each datapage is filtered using an external parameter
4) Datapages are called with a small javascript (using the snippet plugin) that:

• retrieve the custom field and use it as URL parameter o collect
• build the url to embed the datapage using the custom field as URL parameter

The waring point of this solution was the security because you call datapages with no authentication. But I enforced this by:

a) Obviously allowing only https
b) Showing nothing if the parameter is blank or wrong

I am testing another security enforcment that is to add a unique key to the application: a new GUID field, I called tenant, that is unique for all records into the app.
Each user will have another custom field where I manually write the GUID when I add the user. All datapages will be filtered with this GUID. I few words: two secrets better than one.....
As soon I have free time I wish to write down an article about this.

[NiceDuck]

I remember creating a setup where each companies has a text255 or text64000 field where I collect all userID of the users allowed to see them via CSV. Then on report datapage, instead of using RLS, I create a hidden search field that will check if the list of ID field (which I mentioned above) contains the current user's ID. 

[NiceDuck]

You may want to check our discussion from this thread, perhaps something of use...