Separate Businesses In App - Security Question

Creating an app that needs to have its users only access records that are associated with the Member Business that the user belongs to.

Based on the Security Documentation, the users need to be the row owners for each record, correct?

This app will have multiple Member Businesses and the Member Businesses create users for each Member Business. And the users will have different Roles for that Member Business, like CSR, Field Person, Manager, and Owner.

Is there a way to allow only Users Associated with a Member Business to access that Member Businesses records without being insecure (showing the other Member Businesses records)? I cannot allow one Member Business to snoop around inspecting the elements and be able to see the other Member Businesses data.

Yes you could do that with row owners and roles.

1 Like

@Eric_Penn let me clarify.

The documentation says “When you use visibility conditions or design a screen to show some data but not other data, your app still downloads whatever data it can for the corresponding sheet, even if it is not displayed in your app.”

Business 1 has 25 records stored in 1 table.
Business 2 has 25 records stored in 1 table.

Both businesses have the records stored in the same table.

How do I SECURELY allow all of the users that have the role CSR for Business 1 see only the records stored in the table that are associated with business 1? And not inadvertently expose the records of Business 2.

If I use Row Owners for this, only the user that created the record will be able to see it. I need all users for the specific Member Business to see it, but also to keep the whole table secure from the other businesses snooping into the returned data.

Hi!
You can use role as row owner to grant access to all buisneses, just add to each row column and write to it supervisor. set row owner to it. And set in user table role column and write to correspond users supervisor. Dont forgot: you must write user’s role only in editor.

1 Like

You can fetch secured data from an external source to your app according to the permission column.

What I would do is assign each business ID as a role value to each user in the user table. Then when you create a row for each business in your other tables, make sure you write the business ID to one of the columns and make that column a row owner column, which will grant access to any user that has a role with the same business ID.

I assume data security is not as critical for each user position within a particular company. In that case, you can use pseudo roles, such as CSR, and use that to control visibility and filtering of certain screens and components.

So in the end the Role functionality will control data security for each business but the pseudo role/position will control everything else within the company.

2 Likes

What I do is assign the roles as Business-1, Business-2, Business-3 etc…

When adding a new row of data I add the signed-in users role (and any other roles that should have access to that data) in the same row.

E.g Business-1 | CSR

If we make both those columns row owners then anyone with the role CSR will see the data and also Business-1 will see that data.

Then for visibility conditions, editing, delete… I use ‘is included in’.

E.g we want a specific tab visibility for anyone with a Business role… when Business → is included in → User profiles → Role

The problem with this is that users with the CSR role will be able to access data from Businesses other than their own.

Jeff’s response is exactly the correct way to set this up.

1 Like

Ahhh gotcha. I guess I misunderstood the assignment. I meant the same as Jeff essentially. I use separate Id’s for each business… only I use the same prefix for each one (‘Business-x’) is the only difference.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.