I’ve just finished the University lessons on row-owners and roles and I’m still not sure how to apply this to my use-case (not that I am trying to do anything particularly complex). Anyone up for giving me some input on this.
I am building a tool to help manage the work I do with client businesses. I use it to record meetings, actions etc and the clients also log in to update progress, share more information etc:
Two types of user (Lets call them Advisor & Client)
Advisor can see / edit anything.
Clients relate to a company: Can be multiple users per company
Clients can only ever see data relating to the company they are part of
This all needs to be reasonably secure, not just in source but hidden from view.
What I was trying to do:
Restrict to users in users table only
Have company id column as role
Add company ID to all sensitive rows (pretty much everything).
I feel like I have missed a step though. This doesn’t seem to work. No user can see anything. I also don’t know how to deal with the advisor role using that method.
You are on the right track, just missing a few details. Here are a few pointers:
Make sure you have a Role column (Text type) in your User Profiles table, and it is set as the Role in your User Profiles configuration.
Each of your Advisors should have an “Advisor” role
Each of your Clients should have their CompanyID as a role
Now in each of your tables where you want to protect data, you will need two (Text type) columns with Row Owners applied:
– The first column should have the word “Advisor”, so that your Advisors get access. Obviously you’ll want this in every row
– The second column should have the CompanyID of the Company that each row is associated with.
Good news : Works perfectly. Thanks - That would have taken me a long time to work out.
Bad news : I’m now in trouble at home because I’m itching to update the whole app to do this an I am apparently supposed to be wrapping christmas presents.