Closed Nikhil-Nandagopal closed 1 year ago
Consider below use cases:
For building a customer support panel dashboard, the pages would require categorisation (eg: few pages will be in product A category while few pages in the product B category). But all users won't have access to all pages. Product A category users will access only pages under product A and product B category users pages in product B. So would require page level access.
Continuing to above, even certain users having access to product A pages will have only read access i.e they can view the contents of the page while cannot perform actions like creating or updating entries. This will require ACL categorised on page level as well.
So considering the above use case
Will this issue be covering both the above-mentioned use cases. And what is the priority of implementing this
The way I can see UAC being controlled right now is by making different organizations with different shares, but there isn't currently a way to copy a project across organisations. Having too many organisations/apps in the front page is also very messy, so perhaps some form of grouping might be handy here? (Perhaps these are separate issues)
Nevertheless, I agree that there shd be more granular access, perhaps accessibility by each Page of an app, at the very minimum.
@alderson59 we're introducing a way to copy apps across orgs. We'll be introducing app-level access control as well but it will be a part of our enterprise edition :)
I do hope that this feature isn't only part of a very expensive enterprise edition. As a small business, it is very handy to have more granular permissions to reflect our business rules and processes into our systems.
That said, as a business, we are very happy to pay for licenses or support contracts to support Appsmith and features like this. Unfortunately software like Outsystems and Retool have focused nearly entirely on "enterprise" by crippling or excluding features like granular permissions for smaller businesses (understandable as that is where the profit is).
(This isn't the only reason I decided on Appsmith. There are many reasons I believe Appsmith has more potential and is headed in the right direction. I look forward to seeing how you evolve.)
Thank you for considering this.
Thank you for the insight @bamboowonder! We will definitely introduce a reasonably tiered pricing for features like these. Stay tuned for more updates on this feature :)
Hi, I need to be sure each user can see only data they have created and manager can see multiple users. Like in Parse-Platform: Role contain multiple Role and multiple User and each record has View, Read, Write, delete access, each table have a create right depending of users and roles. Is it your plan for Granular Access Control? Same as @bamboowonder I hope pricing will be raisonnable.
2 Feb 2022
Discussed
User groups
, Permissions groups
and Policies
will be maintained at the instance-levelNext steps
Permission Group
, modeling a real-life scenario, to show the heirarchical and lateral propagation of permission configurations9 Feb 2022
Discussed
Users
will exist at the instance levelPermission Group
creation flow to depict inheritance of permissionsNext steps
16 Feb 2022
Discussed
Users
can be invited to an instance and either assigned Permission Groups
or invited into User Groups
Permission Groups
may be associated with a User
or User Group
User Group
creationNext steps
23 Feb 2022 and 1 Mar 2022
Discussed
Permission Group
creationNext steps
Create
permissions in the CRUD matrix on the wireframes @Debsourabh User Group
and Permission Group
configurations @vuiets 23 March 2022
Discussed
Permission Group
creationPermission Group
configuration page - App Resources
, Datasources and Queries
, User Groups and Permission Groups
, Git Sync
View
permissions will translate to showing or hiding a resource in the UI; making a resource read-only and managing access approvals will is moved to the next phaseNext steps
User Group
creation and Permission Group
creation flows30 March 2022
Discussed
Invite User
flows and Permission Group
creationUser Groups
but no longer association of Permission Groups
User Groups
from Identity Providers that we integrate with; Users
will have to be invitedGit Sync
permissions are moved to the next phase. While we have a set of permissions, we are yet to identify the value in granularising them today. Also, there is an open question on if we should open up branch-level permissions Next steps
User Group
and, more importantly, Permission Group
creation based on feedbackHi All,
I've asked the Appsmith support about the feature (not sure if it's existed or not).
I would like to know if there is a feature to assign "App Viewers" to different user/permission group so that as a Developer can strict which/what data (from data source) to be displayed on UI widget/components based on User/Permission group.
@myang-clgx yes that will be possible with this feature. A possible workaround for this would be to manage this assignment on your end and return the users group in an API and use that to restrict what data can be displayed on the UI. Work on this feature is underway so you can stay tuned to this GitHub issue for updates :)
20 April 2022
Discussed
User Group
creation, Permission Group
creation, Invite User flows and handling Search in these pages.Next steps
User Group
creation pagePermission Groups
page@vuiets @Debsourabh can you share the latest figma links here?
@Nikhil-Nandagopal Figma Links : https://www.figma.com/file/15Kg4GX2SroULDbgkwy4xF/?node-id=353%3A19729
I'm not sure if that will be useful for this particular feature, but I recently recorded a video about how I wish to use AppSmith, by comparing it to Stacker. The goal being to build things super fast. I share it in the hope that it'd be insightful.
Video: https://youtu.be/Lth1YzKrHa4 Discussion: https://discord.com/channels/725602949748752515/725609493974614076/967773553799888968
Thanks a tonne for taking the time to put this together and share it with us @Vadorequest. Deeply appreciate the insights. With RBAC we're keeping it simple and quick to setup with fine-grained control over who has access to your app resources and data sources. We also give you some handy permission presets that you can leverage on the go for admins, developers and consumers of your app.
We'd still like to hear your thoughts around it and be happy to give you a glimpse of what is in works. Could you pick a time slot that works for you for a chat on RBAC?
📆 Calendly: https://calendly.com/appsmith-vishak/conversations
I'm not sure if that will be useful for this particular feature, but I recently recorded a video about how I wish to use AppSmith, by comparing it to Stacker. The goal being to build things super fast. I share it in the hope that it'd be insightful.
Video: https://youtu.be/Lth1YzKrHa4 Discussion: https://discord.com/channels/725602949748752515/725609493974614076/967773553799888968
THIS. I agree with all of the feedback in the video. I use appsmith for a few small apps where I really needed fine detail customisation. But for the majority of our apps, we just needed boilerplate scaffolding. appsmith is great for something very custom, but for standard crud apps (80% of apps for us), it is so much slower because everything has to be built from scratch. I very much wish that a robust initial scaffolding could be created when starting to work with a datasource. the current crud builder is also more of a hindrance and brittle, and could use a lot more polishing.
Hi Team,
Thank you for the great product. Do you have any update on this feature ?
Me too on timeframes. Also please share any thoughts on hosting license for resellers offering appsmith based apps to clients cloud or on-prem. This important as encourages us all to stay in the team vs fork and build RBAC open source.
@cloudsuperapps @cyber-cyborg999 we're currently working on this feature. We have some designs ready and we'd love to speak to you to validate our solution. If you're interested in a sneak peek, you can block some time on my calendar below https://calendly.com/appsmith-nikhil/30min?back=1&month=2022-06
Sorry about the lack of update in recent times. The project is very much in progress.
2 June 2022
Discussed
Next steps
8 June 2022
Discussed
Next steps
6 July 2022
Discussed
Next steps
Thanks for the update. On my side, my access control needs was at row level mainly. I finally achieve it using parse platform with Graphql API. https://parseplatform.org/ After authentication, each user can only see his datas. In addition, UI elements visibility can be managed based on role defined in parse platform. Note: I used Tabs (Like the example on youtube) to hide application until user get login. Visibility of a page based on javascript would be more elegant. https://github.com/appsmithorg/appsmith/issues/1092 It looks it will also be part of the Business Edition.
Hey @slysiou, thanks for sharing how you're managing access control at your end. This is interesting. Would you like to talk to us over a call so I can get your requirements down in detail? Please feel free to pick a time that works best for you - 📆 Calendly: https://calendly.com/appsmith-vishak/conversations
20 July 2022
Discussed
Next steps
any update in this feature?
Hey @naveenthontepu we are actively building and testing this right now and we'll have this up and running on our Business edition in this quarter.
Hi, will you there be a way to group & sub-group users? We have built an admin dashboard, with the focus of having different teams work on different client issues (team & issue: A,B,C), with different team members within those teams working on issues according to complexity qualifications (complexity: 1,2,3).
So, teams A,B,C attend to different types of issues, but within every team, there are levels 1,2,3. This would mean different people within team A would work on issues 1, 2, or 3, depending on the user group they might belong to.
E.g.: User: Tom Team: A Level: 3
This user would then only have access to team A, level 3 issues.
@SisekoS we don't have a concept of subgroups but you can simply model them as teams A1, A2, A3 and have a role called RA, RA1. RA2. RA3 which is cloned from role RA. Would this work for you?
Closing this issue as the feature was released in v1.9
, you can find documentation on the same here. Please track the RBAC
label or #19228 for future development 👋
Problem statement
Users in larger organizations need more granular control over which users have access to which parts of an application. Developers need to be able to create groups of users and assign the permissions they have depending on the app/page they are a part of.
Related issues
Success criteria
Users are able to secure their applications up to the page level without any concern for security
PRD : https://www.notion.so/appsmith/PRD-Attribute-based-Access-Control-ABAC-1d18f6a7f344434c8e43809cce46e64c UI : https://www.figma.com/file/ahB1BWStZ7hnqnknrO7EEq/ABAC?node-id=5%3A3
RACI matrix
| ------------- | ------------- | | Responsible | @trishaanand @ankitakinger @albinAppsmith | | Accountable | @vuiets | | Consulted | @mohanarpit, @Nikhil-Nandagopal| | Informed | @hiteshjoshi |
Front conversations